CVE-2015-0284 – Satellite: stored XSS in user details fields (incomplete fix for CVE-2014-7811)
https://notcve.org/view.php?id=CVE-2015-0284
Cross-site scripting (XSS) vulnerability in spacewalk-java in Spacewalk and Red Hat Satellite 5.7 allows remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the XMLRPC API, involving user details. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-7811. Vulnerabilidad de XSS en spacewalk-java en Spacewalk y Red Hat Satellite 5.7 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de datos XML manipulados en la API XMLRPC, involucrando detalles de usuario. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2014-7811. A cross-site scripting (XSS) flaw was found in how XML data was handled in Red Hat Satellite. • http://rhn.redhat.com/errata/RHSA-2016-0590.html https://bugzilla.redhat.com/show_bug.cgi?id=1181152 https://bugzilla.redhat.com/show_bug.cgi?id=1181472 https://bugzilla.redhat.com/show_bug.cgi?id=1314906 https://bugzilla.redhat.com/show_bug.cgi?id=1315398 https://github.com/spacewalkproject/spacewalk/commit/dd418384171473c3e31386a1b4792f8c555dc744 https://github.com/spacewalkproject/spacewalk/commit/f3792c79c1c251a49cc4e382be8591636326a794 https://access.redhat.com/security/cve/CVE-2015-0284 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2103 – 5: multiple stored XSS vulnerabilities
https://notcve.org/view.php?id=CVE-2016-2103
Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the list_1680466951_oldfilterval parameter to systems/PhysicalList.do or (2) unspecified vectors involving systems/VirtualSystemsList.do. Múltiples vulnerabilidades de XSS en Red Hat Satellite 5 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el parámetro list_1680466951_oldfilterval en systems/PhysicalList.do o (2) vectores no especificados que involucran a systems/VirtualSystemsList.do. Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. • http://rhn.redhat.com/errata/RHSA-2016-0590.html https://bugzilla.redhat.com/show_bug.cgi?id=1305681 https://access.redhat.com/security/cve/CVE-2016-2103 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2104 – 5: stored and reflected XSS vulnerabilities
https://notcve.org/view.php?id=CVE-2016-2104
Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the label parameter to admin/BunchDetail.do; (2) the package_name, (3) search_subscribed_channels, or (4) channel_filter parameter to software/packages/NameOverview.do; or unspecified vectors related to (5) <input:hidden> or (6) <bean:message> tags. Varias vulnerabilidades de XSS en Red Hat Satellite 5 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro label a admin/BunchDetail.do; (2) el package_name, (3) search_subscribed_channels o (4) el parámetro channel_filter a software/packages/NameOverview.do; O vectores no especificados relacionados con (5) o (6) tags. Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users. • http://rhn.redhat.com/errata/RHSA-2016-0590.html https://bugzilla.redhat.com/show_bug.cgi?id=1305677 https://bugzilla.redhat.com/show_bug.cgi?id=1313515 https://access.redhat.com/security/cve/CVE-2016-2104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-3079 – spacewalk-java: Multiple XSS issues in WebUI
https://notcve.org/view.php?id=CVE-2016-3079
Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM). Múltiples vulnerabilidades de XSS en la Web UI en Spacewalk y Red Hat Satellite 5.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) PATH_INFO en systems/SystemEntitlements.do; (2) el parámetro label en admin/multiorg/EntitlementDetails.do; o el nombre de (3) una etiqueta snapshot o (4) un grupo de sistema en System Set Manager (SSM). Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. • http://rhn.redhat.com/errata/RHSA-2016-0590.html https://bugzilla.redhat.com/show_bug.cgi?id=1320444 https://bugzilla.redhat.com/show_bug.cgi?id=1320452 https://bugzilla.redhat.com/show_bug.cgi?id=1320940 https://github.com/spacewalkproject/spacewalk/commit/7920542f https://github.com/spacewalkproject/spacewalk/commit/7b9ff9ad https://github.com/spacewalkproject/spacewalk/commit/982b11c9 https://github.com/spacewalkproject/spacewalk/commit/b6491eba https://access.redhat.com/security/cve/CVE-2016 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5041 – JDK: J9 JVM allows code to invoke non-public interface methods
https://notcve.org/view.php?id=CVE-2015-5041
The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods. El JVM J9 en IBM SDK, Java Technology Edition 6 en versiones anteriores a SR16 FP20, 6 R1 en versiones anteriores a SR8 FP20, 7 en versiones anteriores a SR9 FP30 y 7 R1 en versiones anteriores a SR3 FP30 permite a atacantes remotos obtener información sensible o inyectar datos invocando a métodos de interfaz no públicos. • http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00032.html http://www-01.ibm.com/support/docview.wss?uid=swg1IV72872 http://www-01.ibm.com/support/docview.wss?uid=swg21974194 http://www.securityfocus.com/bid/82451 https://access.redhat.com/errata/RHSA-201 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •