The remote SUSE Linux SLED12 / SLED_SAP12 / SLES12 / SLES_SAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:3876-1 advisory.

  - The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user     from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects     XMLBeans up to and including v2.6.0. (CVE-2021-23926)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2693 advisory.

    The XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML     input. Vulnerabilities include the possibility for XML Entity Expansion attacks which could lead to a     denial-of-service. This update implements sensible defaults for the XML parsers to prevent these kind of     attacks. For Debian 9 stretch, this problem has been fixed in version 2.6.0+dfsg-1+deb9u1. We recommend     that you upgrade your xmlbeans packages. For the detailed security status of xmlbeans please refer to its     security tracker page at: https://security-tracker.debian.org/tracker/xmlbeans Further information about     Debian LTS security advisories, how to apply these updates to your system and frequently asked questions     can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of Oracle Siebel CRM installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2022 CPU advisory.

  - Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing     (XMLBeans)). Supported versions that are affected are 22.8 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing.
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all Siebel Apps - Marketing accessible data and unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Siebel Apps - Marketing. (CVE-2021-23926)

  - Vulnerability in the Siebel Industry - Life Sciences product of Oracle Siebel CRM (component: eDetailing     (PDF Viewer)). Supported versions that are affected are 22.8 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Siebel Industry - Life     Sciences. Successful attacks require human interaction from a person other than the attacker. Successful     attacks of this vulnerability can result in takeover of Siebel Industry - Life Sciences. (CVE-2018-5158)

  - Vulnerability in the Siebel Engineering - Rel Eng product of Oracle Siebel CRM (component: Build System     (Visual Studio)). Supported versions that are affected are 22.8 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with logon to the infrastructure where Siebel Engineering -     Rel Eng executes to compromise Siebel Engineering - Rel Eng. Successful attacks require human interaction     from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of     Siebel Engineering - Rel Eng. (CVE-2020-16856)

  - Vulnerability in the Siebel Core - Automation product of Oracle Siebel CRM (component: Keyword Automation     (Google Gson)). Supported versions that are affected are 22.8 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Siebel Core - Automation.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of Siebel Core - Automation.  Vulnerability in the Siebel Core - Common     Components product of Oracle Siebel CRM (component: DISA (Google Gson)). Supported versions that are     affected are 22.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Siebel Core - Common Components. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel     Core - Common Components. (CVE-2022-25647)

  - Vulnerability in the Siebel Core - Common Components product of Oracle Siebel CRM (component: Calendar     (Moment.js)). Supported versions that are affected are 22.8 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Siebel Core - Common     Components. Successful attacks of this vulnerability can result in unauthorized creation, deletion or     modification access to critical data or all Siebel Core - Common Components accessible data.
    (CVE-2022-24785)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2025 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (Apache Commons FileUpload)). The supported version that is affected is     12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle     Business Intelligence Enterprise Edition. (CVE-2023-24998)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (OpenSSL)). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business     Intelligence Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2024-5535)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server, Pipeline Test Failures, Installation (Spring Framework)). Supported versions     that are affected are 7.0.0.0.0, 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause     a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition.     (CVE-2024-38809)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Oracle Business Intelligence Enterprise Edition (OBIEE) installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory.

  - A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity     vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different     classes. (CVE-2019-10172)

  - An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The     OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing     incorrect passwords to indicate they were matching with previously hashed ones that were different.
    (CVE-2020-28052)

  - The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user     from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects     XMLBeans up to and including v2.6.0. (CVE-2021-23926)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:3875-1 advisory.

  - The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user     from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects     XMLBeans up to and including v2.6.0. (CVE-2021-23926)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host is affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: BI FNDN (Apache XMLBeans)). The supported version that is affected is 12.2.1.4.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise     Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2021-23926)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Storage Service Integration (Nimbus JOSE+JWT)). The supported version that is affected is     12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2023-52428)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Web Answers). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via     HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human     interaction from a person other than the attacker and while the vulnerability is in Oracle Business     Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change).     Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to s     ome of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access     to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2024-21139)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
167038	SUSE SLED12 / SLES12 Security Update : xmlbeans (SUSE-SU-2022:3876-1)	Nessus	SuSE Local Security Checks	11/5/2022	7/14/2023	critical
151111	Debian DLA-2693-1 : xmlbeans - LTS security update	Nessus	Debian Local Security Checks	6/28/2021	1/24/2025	critical
212450	Oracle Siebel Server (October 2022 CPU)	Nessus	Misc.	12/11/2024	12/12/2024	critical
214593	Oracle Business Intelligence Enterprise Edition (January 2025 CPU)	Nessus	Misc.	1/24/2025	1/27/2025	critical
174742	Oracle Business Intelligence Enterprise Edition (Apr 2023 CPU)	Nessus	Misc.	4/25/2023	7/21/2023	critical
167035	SUSE SLED15 / SLES15 Security Update : xmlbeans (SUSE-SU-2022:3875-1)	Nessus	SuSE Local Security Checks	11/5/2022	7/14/2023	critical
202908	Oracle Business Intelligence Enterprise Edition (July 2024 CPU)	Nessus	Misc.	7/22/2024	7/23/2024	critical
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	3/8/2024	3/12/2024	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical