13.4

DATE	CVE	VULNERABILITY TITLE	RISK
2018-05-24	CVE-2018-8013	Deserialization of Untrusted Data vulnerability in multiple products In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. network low complexity apache debian canonical oracle CWE-502 critical	9.8
2017-10-19	CVE-2017-10423	Unspecified vulnerability in Oracle Retail Back Office Vulnerability in the Oracle Retail Back Office component of Oracle Retail Applications (subcomponent: Security). network oracle	4.9