CVE-2010-2985
https://notcve.org/view.php?id=CVE-2010-2985
Multiple cross-site scripting (XSS) vulnerabilities in IBM WebSphere Service Registry and Repository (WSRR) 6.3 allow remote attackers to inject arbitrary web script or HTML via (1) the searchTerm parameter to ServiceRegistry/HelpSearch.do or (2) the queryItems[0].value parameter to ServiceRegistry/QueryWizardProcessStep1.do. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en IBM WebSphere Service Registry and Repository (WSRR) v6.3, permite a atacantes remotos inyectar código web o HTML de su elección a través de (1) el parámetro searchTerm de ServiceRegistry/HelpSearch.do o (2) el parámetro queryItems[0].value de ServiceRegistry/QueryWizardProcessStep1.do. • http://secunia.com/advisories/40862 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ75984 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ76926 http://www.securityfocus.com/bid/42281 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-0778
https://notcve.org/view.php?id=CVE-2010-0778
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la consola de administración en IBM WebSphere Application Server (WAS) v6.1 anterior v6.1.0.33 y v7.0 anterior v7.0.0.11 permite a atacantes remotos inyectar código web o HTML de su elección a través de vectores no especificados. • http://www-1.ibm.com/support/docview.wss?uid=swg1PM11778 https://exchange.xforce.ibmcloud.com/vulnerabilities/59646 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-0779
https://notcve.org/view.php?id=CVE-2010-0779
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la consola de administración en IBM WebSphere Application Server (WAS) v6.0 anterior v6.0.2.43, v6.1 anterior v6.1.0.33, y v7.0 anterior v 7.0.0.11 permite a atacantes remotos inyectar código web o HTML de su elección a través de vectores no especificados. • http://www-1.ibm.com/support/docview.wss?uid=swg1PM09250 https://exchange.xforce.ibmcloud.com/vulnerabilities/59647 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2433 – IBM Websphere ILOG JRules 6.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-2433
Multiple cross-site scripting (XSS) vulnerabilities in content/internalError.jsp in IBM WebSphere ILOG JRules 6.7 allow remote attackers to inject arbitrary web script or HTML via an RTS URL to (1) explore/explore.jsp, (2) compose/compose.jsp, or (3) home.jsp in faces/. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados ( XSS) en content/internalError.jsp en IBM WebSphere ILOG JRules v6.7 permite a atacantes remotos inyectar código web o HTML de su elección a través de una URL RTS en (1) explore/explore.jsp, (2) compose/compose.jsp, o (3) home.jsp en faces/. • https://www.exploit-db.com/exploits/34179 http://secunia.com/advisories/40275 http://www-01.ibm.com/support/docview.wss?uid=swg1RS00133 http://www.securityfocus.com/bid/41030 https://exchange.xforce.ibmcloud.com/vulnerabilities/59609 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-1632
https://notcve.org/view.php?id=CVE-2010-1632
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService. Apache Axis2 en versiones anteriores a la 1.5.2, tal como se usa en IBM WebSphere Application Server (WAS) 7.0 a 7.0.0.12, IBM Feature Pack para Web Services 6.1.0.9 a 6.1.0.32, IBM Feature Pack para Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo y otros productos, no rechaza de manera apropiada DTDs en mensajes SOAP, lo que permite a atacantes remotos leer ficheros de su elección, enviar peticiones HTTP a servidores de la intranet o provocar una denegación de servicio (consumo de memoria y de CPU) mediante un DTD manipulado, como se ha demostrado por una declaración de entidad en una petición a Synapse SimpleStockQuoteService. • http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html http://geronimo.apache.org/21x-security-report.html http://geronimo.apache.org/22x-security-report.html http://markmail.org/message/e4yiij7lfexastvl http://secunia.com/advisories/40252 http://secunia.com/advisories/40279 http://secunia.com/advisories/41016 http://secunia.com/advisories/41025 http://www-01.ibm.com/support/docview.wss?uid=swg21433581 http://www-1.ibm.com/support/docview.wss?uid=swg1PM14765 http • CWE-20: Improper Input Validation •