Vulnerabilities > Oracle > Banking Apis > 21.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-17 | CVE-2021-41165 | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source WYSIWYG HTML editor. | 5.4 |
| 2021-11-17 | CVE-2021-41164 | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source WYSIWYG HTML editor. | 5.4 |
| 2021-10-19 | CVE-2021-37136 | Resource Exhaustion vulnerability in multiple products The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). | 7.5 |
| 2021-10-19 | CVE-2021-37137 | Resource Exhaustion vulnerability in multiple products The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. | 7.5 |
| 2021-07-21 | CVE-2021-2351 | Session Fixation vulnerability in Oracle products Vulnerability in the Advanced Networking Option component of Oracle Database Server. | 8.3 |
| 2021-07-13 | CVE-2021-35517 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. | 7.5 |
| 2021-07-13 | CVE-2021-36090 | When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. | 7.5 |
| 2021-04-13 | CVE-2021-29425 | Path Traversal vulnerability in multiple products In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. | 4.8 |
| 2021-04-01 | CVE-2021-28164 | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. | 5.3 |
| 2021-04-01 | CVE-2021-28163 | Link Following vulnerability in multiple products In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. | 2.7 |