4 results (0.015 seconds)

CVSS: 5.0EPSS: 26%CPEs: 38EXPL: 0

Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file. Múltiples vulnerabilidades de XXE en las clases (1) ExecutionHandler, (2) PollHandler, y (3) SubscriptionHandler en JBoss Seam Remoting de JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atancantes remotos leer archivos arbitrarios y posiblemente tener otros impactos a través de un archivo XML manipulado. • http://rhn.redhat.com/errata/RHSA-2014-0045.html http://secunia.com/advisories/56572 http://www.securitytracker.com/id/1029652 https://bugzilla.redhat.com/show_bug.cgi?id=1044784 https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5 https://access.redhat.com/security/cve/CVE-2013-6447 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 5.0EPSS: 0%CPEs: 38EXPL: 0

The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors. El manejador InterfaceGenerator en JBoss Seam Remoting en JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atacantes remotos evadir la restricción de anotación de WebRemote y obtener información sobre clases y métodos arbitrarios en el servidor classpath a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0045.html http://secunia.com/advisories/56572 http://www.securitytracker.com/id/1029652 https://bugzilla.redhat.com/show_bug.cgi?id=1044794 https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5 https://access.redhat.com/security/cve/CVE-2013-6448 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.8EPSS: 1%CPEs: 35EXPL: 0

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. jboss-seam.jar en el framework JBoss Seam 2 2.2.x y versiones anteriores, tal como se distribuye con la plataforma Hat JBoss Enterprise SOA 4.3.0.CP04 y 5.1.0 y JBoss Enterprise Application Platform (JBoss EAP o JBEAP) 4.3.0.CP09 y 5.1.0, no restringen el uso de instrucciones de "Expression Language" (EL) en FacesMessages durante el manejo de excepciones de página, lo que permite a atacantes remotos ejecutar código Java arbitrario a través de una URL modificada a una aplicación. • http://www.redhat.com/support/errata/RHSA-2011-0460.html http://www.redhat.com/support/errata/RHSA-2011-0461.html http://www.redhat.com/support/errata/RHSA-2011-0462.html http://www.redhat.com/support/errata/RHSA-2011-0463.html http://www.redhat.com/support/errata/RHSA-2011-1148.html http://www.redhat.com/support/errata/RHSA-2011-1251.html https://bugzilla.redhat.com/show_bug.cgi?id=692421 https://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/ • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.8EPSS: 1%CPEs: 37EXPL: 0

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. jboss-seam.jar en el framework de JBoss Seam 2 v2.2.x y anteriores, como el distribuido en Red Hat JBoss Enterprise SOA Platform v4.3.0.CP05 y v5.1.0; JBoss Enterprise Application Platform (también conocido como JBoss EAP o JBEAP) v4.3.0, v4.3.0.CP09, y v5.1.1; y JBoss Enterprise Web Platform v5.1.1, no restringen el uso de elementos Expression Language (EL) en FacesMessages durante la gestión de la página de excepción, lo que permite a atacantes remotos ejecutar código Java a través de una URL manipulada para una aplicación. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2011-1484. • http://www.redhat.com/support/errata/RHSA-2011-0945.html http://www.redhat.com/support/errata/RHSA-2011-0946.html http://www.redhat.com/support/errata/RHSA-2011-0947.html http://www.redhat.com/support/errata/RHSA-2011-0948.html http://www.redhat.com/support/errata/RHSA-2011-0949.html http://www.redhat.com/support/errata/RHSA-2011-0950.html http://www.redhat.com/support/errata/RHSA-2011-0951.html http://www.redhat.com/support/errata/RHSA-2011-0952.html http:// • CWE-264: Permissions, Privileges, and Access Controls •