Webcenter Sites

webcenter_sites

Vendor: Oracle • 53 CVEs

CVEs (53)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-20908 1Oracle 1Webcenter Sites Nov 21, 2024 Jan 16, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated at...Show more Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).Show less
CVE-2021-45105 5Apache DebianNetapp+2 more 1166bk1602 0aa12 0tp0 Firmware 6bk1602 0aa22 0tp0 Firmware6bk1602 0aa32 0tp0 Firmware+113 more May 29, 2026 Dec 18, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data t...Show more Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.Show less
CVE-2021-32808 3Ckeditor FedoraprojectOracle 13Application Express Banking Party ManagementCkeditor+10 more Nov 21, 2024 Aug 12, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse un...Show more ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.Show less
CVE-2021-29505 5Debian FedoraprojectNetapp+2 more 17Banking Cash Management Banking Corporate Lending Process ManagementBanking Credit Facilities Process Management+14 more May 30, 2025 May 28, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipu...Show more XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.Show less
CVE-2021-27906 3Apache FedoraprojectOracle 19Banking Corporate Lending Process Management Banking Credit Facilities Process ManagementBanking Supply Chain Finance+16 more Nov 21, 2024 Mar 19, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
CVE-2021-27807 3Apache FedoraprojectOracle 15Banking Trade Finance Process Management Banking Treasury ManagementBanking Virtual Account Management+12 more Nov 21, 2024 Mar 19, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
CVE-2021-26272 2Ckeditor Oracle 10Agile Plm Application ExpressBanking Party Management+7 more Nov 21, 2024 Jan 26, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVE-2021-26271 2Ckeditor Oracle 7Agile Plm Application ExpressCkeditor+4 more Nov 21, 2024 Jan 26, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2020-14613 1Oracle 1Webcenter Sites Nov 21, 2024 Jul 15, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced User Interface). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability a...Show more Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced User Interface). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).Show less
CVE-2020-11023 7Debian DrupalFedoraproject+4 more 52Active Iq Unified Manager Application ExpressApplication Testing Suite+49 more Nov 7, 2025 Apr 29, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),...Show more In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.Show less
CVE-2020-2739 1Oracle 1Webcenter Sites Nov 21, 2024 Apr 15, 2020 N/A· v4 7.4 HIGH· v3 4.3 MEDIUM· v2 Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated atta...Show more Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).Show less
CVE-2020-5258 3Debian LinuxfoundationOracle 10Communications Application Session Controller Communications Policy ManagementCommunications Pricing Design Center+7 more Nov 21, 2024 Mar 10, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes,...Show more In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2Show less
CVE-2020-7226 2Oracle Vt 4Communications Services Gatekeeper CryptacularWebcenter Sites+1 more Nov 21, 2024 Jan 24, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new...Show more CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.Show less
CVE-2020-2539 1Oracle 1Webcenter Sites Nov 21, 2024 Jan 15, 2020 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated atta...Show more Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).Show less
CVE-2020-2538 1Oracle 1Webcenter Sites Nov 21, 2024 Jan 15, 2020 N/A· v4 7.1 HIGH· v3 6.8 MEDIUM· v2 Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated atta...Show more Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).Show less
CVE-2019-12415 2Apache Oracle 27Application Testing Suite Banking Enterprise OriginationsBanking Enterprise Product Manufacturing+24 more Nov 21, 2024 Oct 23, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from intern...Show more In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.Show less
CVE-2019-17531 5Debian FasterxmlNetapp+2 more 22Banking Platform Communications Billing And Revenue ManagementCommunications Calendar Server+19 more Nov 21, 2024 Oct 12, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the se...Show more A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.Show less
CVE-2019-16943 6Debian FasterxmlFedoraproject+3 more 26Active Iq Unified Manager Banking PlatformCommunications Billing And Revenue Management+23 more Nov 21, 2024 Oct 1, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the se...Show more A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.Show less
CVE-2019-16942 6Debian FasterxmlFedoraproject+3 more 28Active Iq Unified Manager Banking PlatformCommunications Billing And Revenue Management+25 more Nov 21, 2024 Oct 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the se...Show more A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.Show less
CVE-2019-13990 5Apache AtlassianNetapp+2 more 31Active Iq Unified Manager Apache Batik MapviewerBanking Enterprise Originations+28 more Nov 21, 2024 Jul 26, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

12 3 Next