All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.

IBM WebSphere Application Server Liberty 17.0.0.3 less than 22.0.0.3, with the adminCenter-1.0 feature configured, is vulnerable to Prototype Pollution via the setObject function in Dojo.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The IBM WebSphere Application Server installed on the remote host is affected by a remote code execution vulnerability due to the Dojo package, which is vulnerable to vulnerable to Prototype Pollution via the setObject function.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3289 advisory.

  - In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater     than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7,     and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less     than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has     been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3. (CVE-2020-4051)

  - All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
    (CVE-2021-23450)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.4.0.0 versions of Enterprise Manager Ops Center installed on the remote host is missing a security patch as documented in the October 2022 Critical Patch Update (CPU). It is, therefore, affected by a vulnerability in the Networking (dojo) component. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Ops Center. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Ops Center.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 12.2.1.3.0 and 12.2.1.4.0 versions of WebCenter Sites installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2022 CPU advisory.

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Centralized Thirdparty     Jars (dojo)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful     attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. (CVE-2021-23450)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites     (XStream)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle WebCenter Sites. (CVE-2021-43859)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites     (CKEditor)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle WebCenter Sites. (CVE-2022-24729)

  - CVE-2022-32532	Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component:     WebCenter Sites (Apache Shiro)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites.     (CVE-2022-32532)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the Oct 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilites:

  - Vulnerability in the Oracle Communications Convergence product of Oracle Communications Applications (component:     Framework (dojo)). The supported version that is affected is 3.0.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Communications Convergence. Successful     attacks of this vulnerability can result in takeover of Oracle Communications Convergence. (CVE-2021-23450)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (jackson-databind)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.     Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of Oracle WebCenter Portal. (CVE-2020-36518)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (Apache Santuario XML Security For Java)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.     Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Oracle WebCenter Portal accessible data. (CVE-2021-40690)

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party     Tools, Samples (Spring Framework)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of     Oracle WebLogic Server. (CVE-2022-22965)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (OWASP Enterprise Security API)). Supported versions that are affected are 12.2.1.3.0,     12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result     in takeover of Oracle WebLogic Server. (CVE-2022-23457)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Apache Maven)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data     as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server     accessible data. (CVE-2021-26291)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Primavera Unifier installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (dojo)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12, 20.12 and 21.12. Easily     exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise     Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized ability to cause a     hang or frequently repeatable crash (complete DOS) of Primavera Unifier as well as unauthorized update,     insert or delete access to some of Primavera Unifier accessible data and unauthorized read access to a     subset of Primavera Unifier accessible data. (CVE-2021-23450)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console,     Samples (jQueryUI)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than     the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact     additional products (scope change). Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized     read access to a subset of Oracle WebLogic Server accessible data. (CVE-2021-41184)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
172081	IBM WebSphere Application Server Liberty 17.0.0.3 < 22.0.0.3 Information Disclosure (6585704)	Nessus	Web Servers	critical
172080	IBM WebSphere Application Server 7.x <= 7.0.0.45 / 8.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.22 / 9.x < 9.0.5.12 RCE	Nessus	Web Servers	critical
170878	Debian DLA-3289-1 : dojo - LTS security update	Nessus	Debian Local Security Checks	critical
170175	Oracle Enterprise Manager Ops Center UI and Other Patches (Oct 2022 CPU)	Nessus	Misc.	critical
166377	Oracle WebCenter Sites (Oct 2022 CPU)	Nessus	Windows	critical
166335	Oracle WebCenter Portal Multiple Vulnerabilities (Oct 2022 CPU)	Nessus	Misc.	critical
163298	Oracle WebLogic Server (Jul 2022 CPU)	Nessus	Misc.	critical
159919	Oracle Primavera Unifier (Apr 2022 CPU)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2021-23450

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical