CVSS: 4.9EPSS: 4%CPEs: 1EXPL: 3CVE-2016-4314 – WSO2 Carbon 4.4.5 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2016-4314
Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp. Vulnerabilidad de salto de directorio en el LogViewer Admin Service en WSO2 Carbon 4.4.5 permite a administradores remotos autenticados leer archivos arbitrarios a través de un .. (punto punto) en el parámetro logFile para downloadgz-ajaxprocessor.jsp. DuckieTV CMS version 1.1.5 suffers from a local file inclusion vulnerability. • https://www.exploit-db.com/exploits/40240 http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt http://packetstormsecurity.com/files/138330/WSO2-Carbon-4.4.5-Local-File-Inclusion.html http://www.securityfocus.com/archive/1/539200/100/0/threaded http://www.securityfocus.com/bid/92473 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2016-4311 – WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-4311
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request. Vulnerabilidad de CSRF en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 permite a atacantes remotos secuestrar la autenticación de usuarios privilegiados para solicitudes que procesan solicitudes XACML a través de una solicitud entitlement/eval-policy-submit.jsp. WSO2 Identity Server version 5.1.0 suffers from cross site request forgery and XML external-entity injection vulnerabilities. • https://www.exploit-db.com/exploits/40239 http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html http://www.securityfocus.com/archive/1/539199/100/0/threaded http://www.securityfocus.com/bid/92485 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2016-4312 – WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-4312
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. Vulnerabilidad de XXE en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 en versiones anteriores a WSO2-CARBON-PATCH-4.4.0-0231 permite a usuarios remotos autenticados con acceso a características XACML leer archivos arbitrarios, provocar una denegación de servicio, realizar ataques de SSRF o tener otros impactos no especificados a través de una solicitud de XACML creada para entitlement/eval-policy-submit.jsp. NOTA: este problema se puede combinar con CVE-2016-4311 para explotar la vulnerabilidad sin credenciales. WSO2 Identity Server version 5.1.0 suffers from cross site request forgery and XML external-entity injection vulnerabilities. • https://www.exploit-db.com/exploits/40239 http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html http://www.securityfocus.com/archive/1/539199/100/0/threaded http://www.securityfocus.com/bid/92485 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-4327 – WSO2 SOA Enablement Server Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-4327
Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad XSS en WSO2 SOA Enablement Server para Java/6.6 build SSJ-6.6-20090816-1616 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO. WSO2 SOA Enablement server suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/137073/WSO2-SOA-Enablement-Server-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/538413/100/0/threaded http://www.securityfocus.com/bid/85893 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •