CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2008-5083
https://notcve.org/view.php?id=CVE-2008-5083
In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON. En JON versiones 2.1.x anteriores a 2.1.2 SP1, los usuarios pueden obtener información de seguridad no autorizada sobre recursos privados administrados por JBoss ON. • https://access.redhat.com/security/cve/cve-2008-5083 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5083 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2010-0737
https://notcve.org/view.php?id=CVE-2010-0737
A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user. Se detectó una falta de comprobación de permiso en la CLI en JBoss Operations Network versiones anteriores a 2.3.1, no comprueba apropiadamente los permisos, lo que permite a usuarios de JBoss ON llevar a cabo tareas de administración y cambios de configuración con los privilegios del usuario administrador. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0737 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5422 – JON3: privilege escalation via improper authorization
https://notcve.org/view.php?id=CVE-2016-5422
The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request. La consola web en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.7 no autoriza adecuadamente peticiones para agregar usuarios con el rol de superusuario, lo que permite a usuarios remotos autenticados obtener privilegios de administrador a través de una petición POST manipulada. It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges. • http://rhn.redhat.com/errata/RHSA-2016-1785.html http://www.securityfocus.com/bid/92722 https://access.redhat.com/security/cve/CVE-2016-5422 https://bugzilla.redhat.com/show_bug.cgi?id=1361933 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3737
https://notcve.org/view.php?id=CVE-2016-3737
The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. El servidor en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.6 permite a atacantes remotos ejecutar código arbitrario a traves una petición HTTP manipulada, relacionado con deserialización de mensaje. • http://rhn.redhat.com/errata/RHSA-2016-1519.html http://www.securitytracker.com/id/1036507 https://bugzilla.redhat.com/show_bug.cgi?id=1333618 https://www.tenable.com/security/research/tra-2016-22 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3267 – JON: Cross Site scripting possible on the JBoss ON 404 error page
https://notcve.org/view.php?id=CVE-2015-3267
Cross-site scripting (XSS) vulnerability in the 404 error page in Red Hat JBoss Operations Network before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en la página de error 404 en Red Hat JBoss Operations Network en versiones anteriores a 3.3.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. It was discovered that a cross-site scripting (XSS) vulnerability on a JBoss Operations Network 404 error page allowed for session fixation attacks. An attacker could use this flaw to impersonate a legitimate user, resulting in compromised integrity of secure data. • http://rhn.redhat.com/errata/RHSA-2015-1525.html http://www.securityfocus.com/bid/76335 http://www.securitytracker.com/id/1033136 https://access.redhat.com/security/cve/CVE-2015-3267 https://bugzilla.redhat.com/show_bug.cgi?id=1237155 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •