Oracle Retail Merchandising System vulnerabilities
56 known vulnerabilities affecting oracle/retail_merchandising_system.
Total CVEs
56
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL12HIGH31MEDIUM13
Vulnerabilities
Page 3 of 3
CVE-2020-9548CRITICALCVSS 9.8PoCv15.02020-03-02
CVE-2020-9548 [CRITICAL] CWE-502 CVE-2020-9548: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
nvd
CVE-2019-20330CRITICALCVSS 9.8v15.0.3v16.0.2+1 more2020-01-03
CVE-2019-20330 [CRITICAL] CWE-502 CVE-2019-20330: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
nvd
CVE-2019-10219MEDIUMCVSS 6.1v19.0.12019-11-08
CVE-2019-10219 [MEDIUM] CWE-79 CVE-2019-10219: A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properl
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
nvd
CVE-2019-17531CRITICALCVSS 9.8v15.0.3v16.0.2+1 more2019-10-12
CVE-2019-17531 [CRITICAL] CWE-502 CVE-2019-17531: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When D
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it i
nvd
CVE-2019-17091MEDIUMCVSS 6.1v16.02019-10-02
CVE-2019-17091 [MEDIUM] CWE-79 CVE-2019-17091: faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J be
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
nvd
CVE-2019-16942CRITICALCVSS 9.8v15.0.3v16.0.2+1 more2019-10-01
CVE-2019-16942 [CRITICAL] CWE-502 CVE-2019-16942: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When D
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible
nvd
CVE-2019-16943CRITICALCVSS 9.8v15.0.3v16.0.2+1 more2019-10-01
CVE-2019-16943 [CRITICAL] CWE-502 CVE-2019-16943: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When D
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to m
nvd
CVE-2019-10086HIGHCVSS 7.3v5.0.3.12019-08-20
CVE-2019-10086 [HIGH] CWE-502 CVE-2019-10086: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressi
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
nvd
CVE-2018-12023HIGHCVSS 7.5v15.02019-03-21
CVE-2018-12023 [HIGH] CWE-502 CVE-2018-12023: An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When De
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
nvd
CVE-2018-12022HIGHCVSS 7.5v15.02019-03-21
CVE-2018-12022 [HIGH] CWE-502 CVE-2018-12022: An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When De
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the servic
nvd
CVE-2018-3125MEDIUMCVSS 6.5v14.12019-01-16
CVE-2018-3125 [MEDIUM] CVE-2018-3125: Vulnerability in the Oracle Retail Merchandising System component of Oracle Retail Applications (sub
Vulnerability in the Oracle Retail Merchandising System component of Oracle Retail Applications (subcomponent: Security (SQL Logger)). The supported version that is affected is 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Merchandising System. Successful attacks of this vulnera
nvd
CVE-2018-14718CRITICALCVSS 9.8v15.0v16.02019-01-02
CVE-2018-14718 [CRITICAL] CWE-502 CVE-2018-14718: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code b
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
nvd
CVE-2018-14719CRITICALCVSS 9.8v15.0v16.02019-01-02
CVE-2018-14719 [CRITICAL] CWE-502 CVE-2018-14719: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code b
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
nvd
CVE-2018-14720CRITICALCVSS 9.8v15.0v16.02019-01-02
CVE-2018-14720 [CRITICAL] CWE-502 CVE-2018-14720: FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XX
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
nvd
CVE-2018-14721CRITICALCVSS 10.0v15.0v16.02019-01-02
CVE-2018-14721 [CRITICAL] CWE-918 CVE-2018-14721: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side requ
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
nvd
CVE-2018-2730MEDIUMCVSS 6.4v16.02018-01-18
CVE-2018-2730 [MEDIUM] CVE-2018-2730: Vulnerability in the Oracle Retail Merchandising System component of Oracle Retail Applications (sub
Vulnerability in the Oracle Retail Merchandising System component of Oracle Retail Applications (subcomponent: Cross Pillar). The supported version that is affected is 16.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Merchandising System. While the vulnerability is in Oracle Retail
nvd
← Previous3 / 3