CVSS: 7.5EPSS: 8%CPEs: 2EXPL: 1CVE-2010-1428 – Red Hat JBoss Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2010-1428
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method. La consola Web(también conocida como web-console) en JBossAs en Red Hat JBoss Enterprise Application Platform (también conocido como JBoss EAP o JBEAP) v4.2 anterior a v4.2.0.CP09 y v4.3 anterior a v4.3.0.CP08 realiza control de acceso solo para los métodos GET y POST, lo que permite a atacantes remotos obtener información sensible a través de una petición sin especificar que utiliza un métodod diferente Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information. • http://marc.info/?l=bugtraq&m=132698550418872&w=2 http://secunia.com/advisories/39563 http://securitytracker.com/id?1023917 http://www.securityfocus.com/bid/39710 http://www.vupen.com/english/advisories/2010/0992 https://bugzilla.redhat.com/show_bug.cgi?id=585899 https://exchange.xforce.ibmcloud.com/vulnerabilities/58148 https://rhn.redhat.com/errata/RHSA-2010-0376.html https://rhn.redhat.com/errata/RHSA-2010-0377.html https://rhn.redhat.com/errata/RHSA-2010-0378.html •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2009-2405 – JBoss Application Server Web Console XSS
https://notcve.org/view.php?id=CVE-2009-2405
Multiple cross-site scripting (XSS) vulnerabilities in the Web Console in the Application Server in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject arbitrary web script or HTML via the (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la consola web en el servidor de aplicaciones en Red Hat JBoss Enterprise Application Platform (también conocido como JBoss EAP or JBEAP) v4.2.0 anteriores a v4.2.0.CP08, v4.2.2GA, v4.3 anteriores a v4.3.0.CP07, y v5.1.0GA permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled para createThresholdMonitor.jsp. NOTA: Algunos de los detalles fueron obtenidos de terceras partes. • http://secunia.com/advisories/35680 http://secunia.com/advisories/37671 http://securitytracker.com/id?1023315 http://www.osvdb.org/60898 http://www.osvdb.org/60899 http://www.securityfocus.com/bid/37276 https://bugzilla.redhat.com/show_bug.cgi?id=510023 https://exchange.xforce.ibmcloud.com/vulnerabilities/54700 https://jira.jboss.org/jira/browse/JBAS-7105 https://jira.jboss.org/jira/browse/JBPAPP-2274 https://jira.jboss.org/jira/browse/JBPAPP-2284 https://rhn.red • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 15EXPL: 0CVE-2009-1380 – jbossas JMX-Console cross-site-scripting in filter parameter
https://notcve.org/view.php?id=CVE-2009-1380
Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 allows remote attackers to inject arbitrary web script or HTML via the filter parameter, related to the key property and the position of quote and colon characters. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en JMX-Console en JBossAs en Red Hat JBoss Enterprise Application Platform (tambien conocida como JBoss EAP or JBEAP) v4.2 anteriores a v4.2.0.CP08 y v4.3 anteriores a v4.3.0.CP07 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro filtro, relacionado con la propiedad "key" y la posición de los caracteres comilla y dos puntos. • http://secunia.com/advisories/37671 http://securitytracker.com/id?1023315 http://www.securityfocus.com/bid/37276 https://bugzilla.redhat.com/show_bug.cgi?id=511224 https://exchange.xforce.ibmcloud.com/vulnerabilities/54698 https://jira.jboss.org/jira/browse/JBPAPP-1983 https://rhn.redhat.com/errata/RHSA-2009-1636.html https://rhn.redhat.com/errata/RHSA-2009-1637.html https://rhn.redhat.com/errata/RHSA-2009-1649.html https://rhn.redhat.com/errata/RHSA-2009-1650.html https&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 11EXPL: 0CVE-2009-3554 – JBoss EAP Twiddle logs the JMX password
https://notcve.org/view.php?id=CVE-2009-3554
Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 writes the JMX password, and other command-line arguments, to the twiddle.log file, which allows local users to obtain sensitive information by reading this file. Twiddle en Red Hat en la plataforma de aplicaciones JBoss Enterprise (tambien conocido como JBoss EAP or JBEAP) v4.2 anteriores a v4.2.0.CP08 y v4.3 anteriores a v4.3.0.CP07 escribe la contraseña JMX, y otros argumentos de linea de comandos, al fichero twiddle.log, lo que permite a usuarios locales conseguir información sensible leyendo este fichero. • http://secunia.com/advisories/37671 http://securitytracker.com/id?1023316 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp08/html-single/Release_Notes/index.html http://www.securityfocus.com/bid/37276 https://bugzilla.redhat.com/show_bug.cgi?id=532111 https://bugzilla.redhat.com/show_bug.cgi?id=539495 https://exchange.xforce.ibmcloud.com/vulnerabilities/54702 https://jira.jboss.org/jira/browse/JBPAPP-2872 https://rhn.redhat.com/errata/RHSA-2009-1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0CVE-2009-0027 – JBoss EAP unprivileged local xml file access
https://notcve.org/view.php?id=CVE-2009-0027
The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request. El manejador de solicitudes de JBossWS en JBoss Enterprise Application Platform (alias JBoss o JBEAP PEA) 4.2 antes de 4.2.0.CP06 y 4.3 antes de 4.3.0.CP04 no valida la ruta durante una petición de un archivo WSDL con un punto final del web-service propio, lo que permite a atacantes remotos leer archivos XML arbitrarios a través de una solicitud debidamente modificada. • http://rhn.redhat.com/errata/RHSA-2009-0346.html http://rhn.redhat.com/errata/RHSA-2009-0347.html http://rhn.redhat.com/errata/RHSA-2009-0348.html http://rhn.redhat.com/errata/RHSA-2009-0349.html http://secunia.com/advisories/34112 http://www.securityfocus.com/bid/34023 http://www.securitytracker.com/id?1021817 https://bugzilla.redhat.com/show_bug.cgi?id=479668 https://jira.jboss.org/jira/browse/JBPAPP-1548 https://access.redhat.com/security/cve/CVE-2009-0027 • CWE-20: Improper Input Validation •