CVE-2020-5568
published 2020-04-28CVE-2020-5568: Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 5.0.0 allows remote attackers to inject arbitrary web script or HTML via the applications…
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.78%
51.3th percentile
Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 5.0.0 allows remote attackers to inject arbitrary web script or HTML via the applications 'Messages' and 'Bulletin Board'.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybozu | garoon | 4.6.0 – 5.0.0 | — |
| cybozu_inc | cybozu_garoon | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
bugzilla·2020-06-18·CVSS 9.8
CVE-2020-11972 [CRITICAL] CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
References:
http://www.openwall.com/lists/oss-security/2020/05/14/10
http://www.openwall.com/lists/oss-security/2020/05/14/8
https://camel.apache.org/security/CVE-2020-11972.html
Discussion:
This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/
Bugzilla
CVE-2020-1950 tika: excessive memory usage in PSDParser
bugzilla·2020-04-09·CVSS 5.5
CVE-2020-1950 [MEDIUM] CVE-2020-1950 tika: excessive memory usage in PSDParser
CVE-2020-1950 tika: excessive memory usage in PSDParser
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
Reference:
https://lists.apache.org/thread.html/r463b1a67817ae55fe022536edd6db34e8f9636971188430cbcf8a8dd%40%3Cdev.tika.apache.org%3E
Discussion:
Created tika tracking bugs for this issue:
Affects: fedora-all [bug 1822760]
---
This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-1950
Bugzilla
CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
bugzilla·2019-01-29·CVSS 9.8
CVE-2019-3773 [CRITICAL] CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
External References:
https://pivotal.io/security/cve-2019-3773
Discussion:
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6
* Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
---
This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
---
This bug is now closed. Further
Bugzilla
CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
bugzilla·2019-01-29·CVSS 9.8
CVE-2019-3774 [CRITICAL] CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
External References:
https://pivotal.io/security/cve-2019-3774
Discussion:
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
---
This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
---
This bug is now closed. Further updates for individual products will be ref
2020-04-28
Published