CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2007-6433 – EJBQL injection via 'order' parameter
https://notcve.org/view.php?id=CVE-2007-6433
The getRenderedEjbql method in the org.jboss.seam.framework.Query class in JBoss Seam 2.x before 2.0.0.CR3 allows remote attackers to inject and execute arbitrary EJBQL commands via the order parameter. El método getRenderedEjbql en la clase org.jboss.seam.framework.Query en JBoss Seam 2.x anterior a 2.0.0.CR3 permite a atacantes remotos inyectar y ejecutar comandos EJBQL de su elección a través del parámetro order. • http://jira.jboss.com/jira/browse/JBSEAM-2084 http://osvdb.org/42631 http://secunia.com/advisories/28077 http://sourceforge.net/project/shownotes.php?release_id=549490&group_id=22866 http://www.redhat.com/support/errata/RHSA-2008-0151.html http://www.redhat.com/support/errata/RHSA-2008-0158.html http://www.redhat.com/support/errata/RHSA-2008-0213.html http://www.securityfocus.com/bid/26850 http://www.vupen.com/english/advisories/2007/4215 https://access.redhat.com/ • CWE-20: Improper Input Validation •