Rogue Wave

Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in…

In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino

A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson.

Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE).

In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality.

In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Reported by Alpha Inferno PVT LTD.

Helix ALM prior to 2025.1 returns distinct error responses during authentication, allowing an attacker to determine whether a username exists.

Versions of Gliffy Online prior to versions 4.14.0-7 contains a Cross Site Request Forgery (CSRF) flaw.

In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered.

In Helix ALM versions prior to 2024.2.0, a local command injection was identified. Reported by Bryan Riggins.

The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a missing parameter to the (1) dm-FaultFile, (2) dm-LazyCheck, (3) dm-ResolvedFile, (4) dm-OpenFile, (5) crypto, and possibly…

Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities

In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.  

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.

Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command.

The triggers functionality in Perforce Server 2008.1 allows remote authenticated users with super privileges to execute arbitrary operating-system commands by using a "p4 client" command in conjunction with the form-in trigger script.

Directory traversal vulnerability in Perforce Server 2008.1 allows remote authenticated users to create arbitrary files via a .. (dot dot) in the argument to the "p4 add" command.

The FTP server in Perforce Server 2008.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain MKD command.

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data, possibly involving a large sndbuf value.

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (infinite loop) via crafted data that includes a byte sequence of 0xdc, 0xff, 0xff, and 0xff immediately before the client protocol version number.