Vulnerabilities > Pippo

DATE CVE VULNERABILITY TITLE RISK
2019-06-12 CVE-2019-5442 XML Entity Expansion vulnerability in Pippo 1.12.0
XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken.
network
low complexity
pippo CWE-776
5.0
2018-12-11 CVE-2018-20059 XXE vulnerability in Pippo 1.11.0
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
network
low complexity
pippo CWE-611
7.5
2018-10-23 CVE-2018-18628 Deserialization of Untrusted Data vulnerability in Pippo 1.11.0
An issue was discovered in Pippo 1.11.0.
network
low complexity
pippo CWE-502
critical
10.0
2018-10-23 CVE-2017-18349 Improper Input Validation vulnerability in multiple products
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
network
low complexity
alibaba pippo CWE-20
critical
10.0
2018-10-11 CVE-2018-18240 Deserialization of Untrusted Data vulnerability in Pippo
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
network
low complexity
pippo CWE-502
7.5