CVE Security Report - SICS Naming Service
This report is generated on: 26.03.2020, 12:32:47 UTC using dependency-check version: 5.0.0.
The report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.
| Name | Description | CWE | CVSS v2.0 Severity | CVSS v3.0 Severity | Dependency |
|---|---|---|---|---|---|
| CVE-2014-0114 | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to “manipulate” the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. | CWE-20 | HIGH | beanutils-1.6.1-20070314.jar | |
| CVE-2019-10086 | In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | CWE-502 | HIGH | HIGH | beanutils-1.6.1-20070314.jar |
| CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, , …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. | CWE-79 | MEDIUM | MEDIUM | jquery-3.3.1.min.js |