CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6578 – Software AG WebMethods access control
https://notcve.org/view.php?id=CVE-2023-6578
07 Dec 2023 — A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. • https://vuldb.com/?ctiid.247158 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0925 – Software AG webMethods OneData Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2023-0925
06 Sep 2023 — Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port). Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality ... • https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html • CWE-502: Deserialization of Untrusted Data •