Search Vulnerabilities

OpenRemote has Improper Access Control via updateUserRealmRoles function

Spinnaker: RCE via expression parsing due to unrestricted context handling

Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Bouncy Castle has an LDAP injection

Bouncy Castle Uncontrolled Resource Consumption vulnerability

PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability

OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService

SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information

Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

Improper restriction of the scope of accessible objects in Thymeleaf expressions

OpenRemote has XXE in Velbus Asset Import

Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache

Data Sharing Framework is Missing Session Timeout for OIDC Sessions

Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules

Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

XWiki's REST APIs can list all pages/spaces, leading to unavailability

XWiki has Reflected Cross-Site Scripting (XSS) in page history compare

Expression Injection in OpenRemote