Vulnerabilities > Oracle > Retail Xstore Point OF Service

DATE CVE VULNERABILITY TITLE RISK
2019-04-22 CVE-2019-5427 XML Entity Expansion vulnerability in multiple products
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
network
low complexity
mchange fedoraproject oracle CWE-776
7.5
2019-04-22 CVE-2019-10247 Information Exposure vulnerability in multiple products
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path.
network
low complexity
eclipse netapp oracle debian CWE-200
5.3
2019-04-22 CVE-2019-10246 Information Exposure vulnerability in multiple products
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents.
network
low complexity
eclipse netapp oracle CWE-200
5.3
2019-04-22 CVE-2019-10241 Cross-site Scripting vulnerability in multiple products
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
network
low complexity
eclipse debian apache oracle CWE-79
6.1
2019-04-17 CVE-2019-0228 XXE vulnerability in multiple products
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
network
low complexity
apache fedoraproject oracle CWE-611
critical
9.8
2019-04-08 CVE-2019-0211 Use After Free vulnerability in multiple products
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard.
7.8
2019-04-08 CVE-2019-0217 Race Condition vulnerability in multiple products
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
7.5
2019-01-30 CVE-2019-0190 A bug exists in the way mod_ssl handled client renegotiations.
network
low complexity
apache oracle
7.5
2019-01-30 CVE-2018-17189 Resource Exhaustion vulnerability in multiple products
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data.
5.3
2018-10-18 CVE-2018-15756 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource.
network
low complexity
vmware oracle debian
7.5