Oracle Banking Digital Experience vulnerabilities
31 known vulnerabilities affecting oracle/banking_digital_experience.
Total CVEs
31
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH19MEDIUM8LOW1
Vulnerabilities
Page 1 of 2
CVE-2021-41164MEDIUMCVSS 5.4≥ 18.1, ≤ 18.3v19.1+3 more2021-11-17
CVE-2021-41164 [HIGH] CWE-79 CVE-2021-41164: CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been disco
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users usin
nvd
CVE-2021-41165MEDIUMCVSS 5.4≥ 18.1, ≤ 18.3v19.1+3 more2021-11-17
CVE-2021-41165 [HIGH] CWE-79 CVE-2021-41165: CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discov
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using
nvd
CVE-2021-37137HIGHCVSS 7.5v18.1v18.2+5 more2021-10-19
CVE-2021-37137 [HIGH] CWE-400 CVE-2021-37137: The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memo
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size
nvd
CVE-2021-37136HIGHCVSS 7.5v18.1v18.2+5 more2021-10-19
CVE-2021-37136 [HIGH] CWE-400 CVE-2021-37136: The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
nvd
CVE-2021-2351HIGHCVSS 7.5≥ 18.1, ≤ 18.3v17.2+4 more2021-07-21
CVE-2021-2351 [HIGH] CWE-327 CVE-2021-2351: Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versi
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a perso
nvd
CVE-2021-35515HIGHCVSS 7.5≥ 18.1, ≤ 18.3v19.1+2 more2021-07-13
CVE-2021-35515 [HIGH] CWE-834 CVE-2021-35515: When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
nvd
CVE-2021-36090HIGHCVSS 7.5≥ 18.1, ≤ 18.3v19.1+3 more2021-07-13
CVE-2021-36090 [HIGH] CWE-130 CVE-2021-36090: When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memo
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
nvd
CVE-2021-35517HIGHCVSS 7.5≥ 18.1, ≤ 18.3v19.1+3 more2021-07-13
CVE-2021-35517 [HIGH] CWE-130 CVE-2021-35517: When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memo
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
nvd
CVE-2021-35516HIGHCVSS 7.5≥ 18.1, ≤ 18.3v19.1+3 more2021-07-13
CVE-2021-35516 [HIGH] CWE-130 CVE-2021-35516: When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memor
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
nvd
CVE-2021-29425MEDIUMCVSS 4.8v17.2v18.1+5 more2021-04-13
CVE-2021-29425 [MEDIUM] CWE-20 CVE-2021-29425: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper i
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to constru
nvd
CVE-2021-28164MEDIUMCVSS 5.3PoCv20.1v21.12021-04-01
CVE-2021-28164 [MEDIUM] CWE-200 CVE-2021-28164: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests w
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implement
nvd
CVE-2021-28163LOWCVSS 2.7v20.1v21.12021-04-01
CVE-2021-28163 [LOW] CWE-200 CVE-2021-28163: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user use
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
nvd
CVE-2020-11987HIGHCVSS 8.2v18.3v19.1+3 more2021-02-24
CVE-2020-11987 [HIGH] CWE-20 CVE-2020-11987: Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
nvd
CVE-2020-14195HIGHCVSS 8.1v18.1v18.2+4 more2020-06-16
CVE-2020-14195 [HIGH] CWE-502 CVE-2020-14195: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
nvd
CVE-2020-14062HIGHCVSS 8.1v18.1v18.2+4 more2020-06-14
CVE-2020-14062 [HIGH] CWE-502 CVE-2020-14062: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
nvd
CVE-2020-14060HIGHCVSS 8.1v18.1v18.2+4 more2020-06-14
CVE-2020-14060 [HIGH] CWE-502 CVE-2020-14060: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
nvd
CVE-2020-14061HIGHCVSS 8.1v18.1v18.2+4 more2020-06-14
CVE-2020-14061 [HIGH] CWE-502 CVE-2020-14061: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-a
nvd
CVE-2020-11022MEDIUMCVSS 6.1ExploitedPoCv18.1v18.2+5 more2020-04-29
CVE-2020-11022 [MEDIUM] CWE-79 CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted source
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
nvd
CVE-2020-11111HIGHCVSS 8.8v18.1v18.2+4 more2020-03-31
CVE-2020-11111 [HIGH] CWE-502 CVE-2020-11111: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
nvd
CVE-2020-11113HIGHCVSS 8.8v18.1v18.2+4 more2020-03-31
CVE-2020-11113 [HIGH] CWE-502 CVE-2020-11113: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
nvd
1 / 2Next →