Unrestricted Upload of File with Dangerous Type
Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution.
Advisories for Maven/Org.sonatype.nexus/Nexus-Repository package
2022
2021
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.