Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Oracle Subscribe
Filtered by product Agile Plm
Total 67 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-11039 3 Debian, Oracle, Vmware 33 Debian Linux, Agile Plm, Application Testing Suite and 30 more 2022-06-23 4.3 MEDIUM 5.9 MEDIUM
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
CVE-2018-15756 3 Debian, Oracle, Vmware 40 Debian Linux, Agile Plm, Communications Brm - Elastic Charging Engine and 37 more 2022-05-13 5.0 MEDIUM 7.5 HIGH
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
CVE-2020-13935 7 Apache, Canonical, Debian and 4 more 18 Tomcat, Ubuntu Linux, Debian Linux and 15 more 2022-05-12 5.0 MEDIUM 7.5 HIGH
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
CVE-2020-24750 3 Debian, Fasterxml, Oracle 26 Debian Linux, Jackson-databind, Agile Plm and 23 more 2022-05-12 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-24616 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more 2022-05-12 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2022-21467 1 Oracle 1 Agile Plm 2022-04-28 4.0 MEDIUM 6.5 MEDIUM
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Attachments). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
CVE-2019-2725 1 Oracle 8 Agile Plm, Communications Converged Application Server, Peoplesoft Enterprise Peopletools and 5 more 2022-04-27 7.5 HIGH 9.8 CRITICAL
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2018-1258 5 Netapp, Oracle, Pivotal Software and 2 more 42 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 39 more 2022-04-11 6.5 MEDIUM 8.8 HIGH
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVE-2020-13934 6 Apache, Canonical, Debian and 3 more 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more 2022-03-01 5.0 MEDIUM 7.5 HIGH
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CVE-2021-26272 2 Ckeditor, Oracle 10 Ckeditor, Agile Plm, Application Express and 7 more 2022-03-01 4.3 MEDIUM 6.5 MEDIUM
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVE-2020-11113 4 Debian, Fasterxml, Netapp and 1 more 32 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 29 more 2021-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-11111 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 22 more 2021-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVE-2020-11112 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2021-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-10672 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2021-12-07 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVE-2020-10673 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2021-12-07 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVE-2020-10968 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2021-12-07 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVE-2020-10969 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2021-12-07 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CVE-2020-27193 2 Ckeditor, Oracle 9 Ckeditor, Agile Plm, Application Express and 6 more 2021-12-02 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
CVE-2020-9548 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more 2021-12-02 6.8 MEDIUM 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CVE-2020-9546 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Active Iq Unified Manager and 28 more 2021-12-02 6.8 MEDIUM 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).