CRITICAL🇬🇧 English

CVE-2013-7285

CVSS 9.8v3.1pub. 2019-05-15upd. 2025-05-23

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Activemq

    APP
    Apache
    5.15.8
  • Oracle Endeca Information Discovery Studio

    APP
    Oracle
    3.2.0
  • Xstream

    APP
    Xstream
    1.4.10≤ 1.4.6
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Command Injection
CWE
Referencje

Powiązane podatności

CVE-2023-46604CRITICAL10.0⚠ KEVten sam produkt

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a ...

CVE-2016-3088CRITICAL9.8⚠ KEVten sam produkt

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and exec...

CVE-2020-11998CRITICAL9.8ten sam produkt

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to ...

CVE-2019-17571CRITICAL9.8ten sam produkt

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which ca...

CVE-2019-10173CRITICAL9.8ten sam produkt

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserializat...