epicosy

11 exploits Active since Sep 2013
CVE-2020-13973 NOMISEC MEDIUM WRITEUP
OWASP json-sanitizer < 1.2.1 - Cross-Site Scripting via SCRIPT Element Confusion
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.
CVSS 6.1
CVE-2020-26217 NOMISEC HIGH STUB
XStream < 1.4.14 - Remote Code Execution via Blocklist Bypass
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CVSS 8.0
CVE-2019-15477 NOMISEC MEDIUM STUB
Jooby < 1.6.4 - Cross-Site Scripting via Default Error Handler
Jooby before 1.6.4 has XSS via the default error handler.
CVSS 6.1
CVE-2019-13990 NOMISEC CRITICAL STUB
Terracotta Quartz Scheduler <2.3.0 - SSRF
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVSS 9.8
CVE-2019-17513 NOMISEC HIGH STUB
Ratpack < 1.7.5 - HTTP Response Splitting via Unvalidated HTTP Headers
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVSS 7.5
CVE-2018-25075 NOMISEC MEDIUM WRITEUP
karsany OBridge <1.3 - SQL Injection
A vulnerability classified as critical has been found in karsany OBridge up to 1.3. Affected is the function getAllStandaloneProcedureAndFunction of the file obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. The manipulation leads to sql injection. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.4 is able to address this issue. The name of the patch is 52eca4ad05f3c292aed3178b2f58977686ffa376. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218376.
CVSS 4.6
CVE-2018-1000844 NOMISEC CRITICAL STUB
Square Retrofit < 2.5.0 - XML External Entity Injection via JAXB
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
CVSS 9.1
CVE-2016-5394 NOMISEC MEDIUM STUB
Apache Sling XSS Protection API < 1.0.12 - Cross-Site Scripting via encodeForJSString Method
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
CVSS 6.1
CVE-2016-10006 NOMISEC MEDIUM WRITEUP
OWASP AntiSamy < 1.5.5 - Cross-Site Scripting via Style Attribute Bypass
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
CVSS 6.1
CVE-2015-6748 NOMISEC MEDIUM WRITEUP
jsoup < 1.8.3 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.
CVSS 6.1
CVE-2013-4378 NOMISEC WORKING POC
JavaMelody < 1.46 - Cross-Site Scripting via X-Forwarded-For Header
Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.