scabench - Security Researcher - Exploit Intelligence Platform

CVE-2022-45688 NOMISEC HIGH WORKING POC

Hutool < 20230227 - Out-of-Bounds Write

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

1 stars

CVSS 7.5

View Code

CVE-2022-45688 NOMISEC HIGH WRITEUP

Hutool < 20230227 - Out-of-Bounds Write

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVSS 7.5

View Code

CVE-2022-45688 NOMISEC HIGH WORKING POC

Hutool < 20230227 - Out-of-Bounds Write

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVSS 7.5

View Code

CVE-2022-45688 NOMISEC HIGH WRITEUP

Hutool < 20230227 - Out-of-Bounds Write

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVSS 7.5

View Code

CVE-2022-45688 NOMISEC HIGH WRITEUP

Hutool < 20230227 - Out-of-Bounds Write

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVSS 7.5

View Code

CVE-2022-25845 NOMISEC HIGH WORKING POC

Alibaba Fastjson < 1.2.83 - Insecure Deserialization

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).

CVSS 8.1

View Code

CVE-2021-44228 NOMISEC CRITICAL WORKING POC

Log4Shell HTTP Header Injection

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS 10.0

View Code

CVE-2021-44228 NOMISEC CRITICAL WORKING POC

Log4Shell HTTP Header Injection

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS 10.0

View Code