CVE-2010-2636
https://notcve.org/view.php?id=CVE-2010-2636
Multiple cross-site scripting (XSS) vulnerabilities in sample store pages in IBM WebSphere Commerce 7.0 before 7.0.0.1 allow remote attackers to inject arbitrary web script or HTML via a crafted URL. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en páginas de ejemplo almacenadas en IBM WebSphere Commerce v7.0 anterior a v7.0.0.1 que permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de una URL manipulada. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR35424 https://exchange.xforce.ibmcloud.com/vulnerabilities/62952 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-3700 – Spring Security Security Constraint Bypass
https://notcve.org/view.php?id=CVE-2010-3700
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. VMware SpringSource Spring Security v2.x anterior a v2.0.6 y v3.x anterior a v3.0.4, y Acegi Security v1.0.0 hasta v1.0.7, como el usado en IBM WebSphere Application Server (WAS) v6.1 y v7.0, permite a los atacantes remotos evitar las restricciones de seguridad a través de un parámetro de ruta. Spring Security does not consider URL path parameters when processing security constraints. By adding an URL path parameter to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). • http://osvdb.org/68931 http://secunia.com/advisories/42024 http://www.securityfocus.com/archive/1/514517/100/0/threaded http://www.securityfocus.com/bid/44496 http://www.springsource.com/security/cve-2010-3700 https://issues.apache.org/bugzilla/show_bug.cgi?id=25015 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-0782
https://notcve.org/view.php?id=CVE-2010-0782
IBM WebSphere MQ 6.x before 6.0.2.10 and 7.x before 7.0.1.3 allows remote attackers to spoof X.509 certificate authentication, and send or receive channel messages, via a crafted Subject Distinguished Name (DN) value in a certificate. IBM WebSphere MQ v6.x anterior a v6.0.2.10 y v7.x anterior a v7.0.1.3, permite a atacantes remotos suplantar certificados autenticados X.509, y enviar y recibir mensajes del canal a través de un valor manipulado de un Subject Distinguished Name (DN). • http://www-01.ibm.com/support/docview.wss?uid=swg1IZ68707 http://www-01.ibm.com/support/docview.wss?uid=swg27014224 https://exchange.xforce.ibmcloud.com/vulnerabilities/60018 •
CVE-2010-0781
https://notcve.org/view.php?id=CVE-2010-0781
Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL. Vulnerabilidad no especificada en la consola administrativa de IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.33 permite a usuarios autenticados remotamente provocar una denegación de servicio (agotamiento de CPU) a través de una URL manipulada • http://secunia.com/advisories/41722 http://www-01.ibm.com/support/docview.wss?uid=swg1PM11807 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 https://exchange.xforce.ibmcloud.com/vulnerabilities/61890 •
CVE-2010-3186
https://notcve.org/view.php?id=CVE-2010-3186
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors. El servidor de aplicaciones IBM WebSphere (WAS) v7.x en versiones anteriores a la v7.0.0.13, y WebSphere Application Server Feature Pack para Web Services v6.1.0.9 hasta la v6.1.0.32, si se utiliza una aplicación JAX-WS, no maneja apropiadamente una opción de configuración IncludeTimestamp en la política WS-Security, lo que tiene un impacto y vectores de ataque sin especificar. • http://osvdb.org/67570 http://secunia.com/advisories/41173 http://www-01.ibm.com/support/docview.wss?uid=swg1PM08360 http://www-01.ibm.com/support/docview.wss?uid=swg1PM16014 http://www-01.ibm.com/support/docview.wss?uid=swg21443736 http://www-01.ibm.com/support/docview.wss?uid=swg24027708 http://www-01.ibm.com/support/docview.wss? • CWE-20: Improper Input Validation •