CVE-2017-1496
https://notcve.org/view.php?id=CVE-2017-1496
IBM Sterling B2B Integrator Standard Edition 5.2.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128694. IBM Sterling B2B Integrator Standard Edition versión 5.2.x es vulnerable a ataque de tipo cross-site-scripting (XSS). Esta vulnerabilidad permite a los usuarios insertar código JavaScript arbitrario en la Web UI, lo que altera la funcionalidad prevista que puede conllevar a la divulgación de credenciales dentro de una sesión de confianza. • http://www.ibm.com/support/docview.wss?uid=swg22006175 https://exchange.xforce.ibmcloud.com/vulnerabilities/128694 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6020
https://notcve.org/view.php?id=CVE-2016-6020
IBM Sterling B2B Integrator Standard Edition could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM Sterling B2B Integrator Standard Edition podrían permitir a un atacante remoto llevar a cabo ataques de phishing, utilizando un ataque de redirección abierta. Al persuadir a una victima para visitar un sitio Web especialmente manipulado, un atacante remoto podría explotar esta vulnerabilidad para falsificar la URL mostrada para redirigir a un usuario a un sitio Web malicioso que parece ser de confianza. • http://www.ibm.com/support/docview.wss?uid=swg21995794 http://www.securityfocus.com/bid/95098 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2014-6199
https://notcve.org/view.php?id=CVE-2014-6199
The HTTP Server Adapter in IBM Sterling B2B Integrator 5.1 and 5.2.x and Sterling File Gateway 2.1 and 2.2 allows remote attackers to cause a denial of service (connection-slot exhaustion) via a crafted HTTP request. El adaptador del servidor HTTP en IBM Sterling B2B Integrator 5.1 y 5.2.x y Sterling File Gateway 2.1 y 2.2 permite a atacantes remotos causar una denegación de servicio (agotamiento de ranuras de conexión) a través de una solicitud HTTP manipulada. • http://secunia.com/advisories/62082 http://www-01.ibm.com/support/docview.wss?uid=swg1IT05121 http://www-01.ibm.com/support/docview.wss?uid=swg21693131 https://exchange.xforce.ibmcloud.com/vulnerabilities/98650 • CWE-399: Resource Management Errors •
CVE-2014-6099
https://notcve.org/view.php?id=CVE-2014-6099
The Change Password feature in IBM Sterling B2B Integrator 5.2.x through 5.2.4 does not have a lockout protection mechanism for invalid login requests, which makes it easier for remote attackers to obtain admin access via a brute-force approach. La caracteristica Change Password en IBM Sterling B2B Integrator 5.2.x hasta 5.2.4 no tiene un mecanismo de protección de bloqueo para solicitudes de inicio de sesión inválidas, lo que facilita a atacantes remotos obtener el acceso a administración a través de un acercamiento de fuerza bruta. • http://www-01.ibm.com/support/docview.wss?uid=swg1IT03935 http://www-01.ibm.com/support/docview.wss?uid=swg1IT03936 https://exchange.xforce.ibmcloud.com/vulnerabilities/96004 https://www-01.ibm.com/support/docview.wss?uid=swg21685345 • CWE-255: Credentials Management Errors •
CVE-2013-4002 – OpenJDK: XML parsing Denial of Service (JAXP, 8017298)
https://notcve.org/view.php?id=CVE-2013-4002
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names. XMLscanner.java en Apache Xerces2 Java Parser, en versiones anteriores a la 2.12.0, tal y como se empleó en Java Runtime Environment (JRE) en IBM Java, en versiones 5.0 anteriores a la 5.0 SR16-FP3, 6 anteriores a la 6 SR14, 6.0.1 anteriores a la 6.0.1 SR6 y 7 anteriores a la 7 SR5, así como en Oracle Java SE 7u40 y anteriores, Java SE 6u60 y anteriores, Java SE 5.0u51 y anteriores, JRockit R28.2.8 y anteriores, JRockit R27.7.6 y anteriores, Java SE Embedded 7u40 y anteriores y, posiblemente, otros productos, permite que los atacantes remotos realicen una denegación de servicio (DoS) mediante vectores relacionados con los nombres de atributo XML. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. • https://github.com/tafamace/CVE-2013-4002 http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html http://lists • CWE-20: Improper Input Validation •