jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-12-11
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
CVSS Score
9.8
EPSS Score
0.908
Published
2018-10-23
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.044
Published
2018-10-23
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
CVSS Score
9.8
EPSS Score
0.027
Published
2018-10-11