Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-184
Total 13 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-16863 2 Artifex, Redhat 7 Ghostscript, Enterprise Linux Desktop, Enterprise Linux Server and 4 more 2023-02-12 9.3 HIGH 7.8 HIGH
It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7.
CVE-2016-6189 1 Alinto 1 Sogo 2022-12-20 4.0 MEDIUM 4.3 MEDIUM
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.
CVE-2020-14372 4 Fedoraproject, Gnu, Netapp and 1 more 9 Fedora, Grub2, Cloud Backup and 6 more 2022-07-22 6.2 MEDIUM 7.5 HIGH
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-2017-7525 5 Debian, Fasterxml, Netapp and 2 more 22 Debian Linux, Jackson-databind, Oncommand Balance and 19 more 2022-04-12 7.5 HIGH 9.8 CRITICAL
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVE-2018-6383 1 Monstra 1 Monstra 2022-02-09 6.5 MEDIUM 8.8 HIGH
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
CVE-2021-21697 1 Jenkins 1 Jenkins 2021-11-08 6.4 MEDIUM 9.1 CRITICAL
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
CVE-2018-7489 4 Debian, Fasterxml, Oracle and 1 more 5 Debian Linux, Jackson-databind, Communications Billing And Revenue Management and 2 more 2021-03-24 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVE-2021-1135 1 Cisco 1 Data Center Network Manager 2021-01-27 4.0 MEDIUM 4.3 MEDIUM
Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1255 1 Cisco 1 Data Center Network Manager 2021-01-27 5.5 MEDIUM 5.4 MEDIUM
Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1133 1 Cisco 1 Data Center Network Manager 2021-01-27 8.5 HIGH 7.3 HIGH
Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2018-5968 4 Debian, Fasterxml, Netapp and 1 more 10 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 7 more 2021-01-21 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVE-2019-9212 1 Antfin 1 Sofa-hessian 2020-02-10 7.5 HIGH 9.8 CRITICAL
** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated.
CVE-2015-5946 1 Sugarcrm 1 Sugarcrm 2017-08-14 4.6 MEDIUM 7.8 HIGH
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.