Oracle Enterprise Session Border Controller vulnerabilities

CVE-2023-22083 [MEDIUM] CVE-2023-22083: Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (c Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (component: Web UI). Supported versions that are affected are 9.0-9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Session Border Controller. Successful attacks require human int

CVE-2022-21382 [HIGH] CVE-2022-21382: Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (c Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (component: WebUI). Supported versions that are affected are 8.4 and 9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Session Border Controller. While the vulnerability is in Oracle

CVE-2022-21381 [MEDIUM] CVE-2022-21381: Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (c Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (component: WebUI). Supported versions that are affected are 8.4 and 9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Session Border Controller. While the vulnerability is in Oracl

CVE-2022-21383 [MEDIUM] CVE-2022-21383: Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (c Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (component: Log). Supported versions that are affected are 8.4 and 9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerabil

CVE-2021-3711 [CRITICAL] CWE-120 CVE-2021-3711: In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_ In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The applicati

CVE-2021-3712 [HIGH] CWE-125 CVE-2021-3712: ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that

CVE-2021-23017 [HIGH] CWE-193 CVE-2021-23017: A security issue in nginx resolver was identified, which might allow an attacker who is able to forg A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

CVE-2021-29425 [MEDIUM] CWE-20 CVE-2021-29425: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper i In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to constru

CVE-2020-1971 [MEDIUM] CWE-476 CVE-2020-1971: The X.509 GeneralName type is a generic type for representing different types of names. One of those The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A

CVE-2020-14630 [HIGH] CWE-404 CVE-2020-14630: Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications Ap Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications Applications (component: File Upload). Supported versions that are affected are 8.1.0, 8.2.0 and 8.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Session Border Controller

CVE-2020-11022 [MEDIUM] CWE-79 CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted source In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-10219 [MEDIUM] CWE-79 CVE-2019-10219: A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properl A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

CVE-2019-11358 [MEDIUM] CWE-1321 CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(t jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.