CVE-2016-2960
https://notcve.org/view.php?id=CVE-2016-2960
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.0.x before 8.0.0.13, 8.5.0.x before 8.5.5.10, 8.5.0.x and 16.0.0.x Liberty before Liberty Fix Pack 16.0.0.3, and 9.0.0.x before 9.0.0.1 allows remote attackers to cause a denial of service via crafted SIP messages. IBM WebSphere Application Server (WAS) 7.x en versiones anteriores a 7.0.0.43, 8.0.0.x en versiones anteriores a 8.0.0.13, 8.5.0.x en versiones anteriores a 8.5.5.10, 8.5.0.x y 16.0.0.x Liberty en versiones anteriores a Liberty Fix Pack 16.0.0.3 y 9.0.0.x en versiones anteriores a 9.0.0.1 permite a atacantes remotos provocar una denegación de servicio a través de mensajes SIP manipulados. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI61548 http://www-01.ibm.com/support/docview.wss?uid=swg21984796 http://www.securityfocus.com/bid/92354 http://www.securitytracker.com/id/1036514 • CWE-284: Improper Access Control •
CVE-2016-0359
https://notcve.org/view.php?id=CVE-2016-0359
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. Vulnerabilidad de inyección CRLF en IBM WebSphere Application Server (WAS) 7.0 en versiones anteriores a 7.0.0.43, 8.0 en versiones anteriores a 8.0.0.13, 8.5 Full en versiones anteriores a 8.5.5.10 y 8.5 Liberty en versiones anteriores a Liberty Fix Pack 16.0.0.2 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de separación de respuesta HTTP a través de una URL manipulada. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI58918 http://www-01.ibm.com/support/docview.wss?uid=swg21982526 http://www.securityfocus.com/bid/91484 http://www.securitytracker.com/id/1036184 •
CVE-2016-0306
https://notcve.org/view.php?id=CVE-2016-0306
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.5.10, when FIPS 140-2 is enabled, misconfigures TLS, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors. IBM WebSphere Application Server (WAS) 7.0 en versiones anteriores a 7.0.0.41, 8.0 en versiones anteriores a 8.0.0.13 y 8.5 en versiones anteriores a 8.5.5.10, cuando FIPS 140-2 está activado, configura incorrectamente TLS, lo que permite a atacantes man-in-the-middle obtener información sensible a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI56190 http://www-01.ibm.com/support/docview.wss?uid=swg21979231 http://www.securityfocus.com/bid/85978 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-7417
https://notcve.org/view.php?id=CVE-2015-7417
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 7.0 before 7.0.0.41, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.9 allows remote authenticated users to inject arbitrary web script or HTML via crafted data from an OAuth provider. Vulnerabilidad de XSS en IBM WebSphere Application Server 7.0 en versiones anteriores a 7.0.0.41, 8.0 en versiones anteriores a 8.0.0.12 y 8.5 en versiones anteriores a 8.5.5.9 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de datos de un proveedor OAuth manipulados. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI49272 http://www-01.ibm.com/support/docview.wss?uid=swg21974520 http://www.securityfocus.com/bid/81738 http://www.securitytracker.com/id/1034783 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-7450 – IBM WebSphere Application Server and Server Hypervisor Edition Code Injection.
https://notcve.org/view.php?id=CVE-2015-7450
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. Interfaces de objetos serializados en determinados productos IBM analytics, business solutions, cognitive, IT infrastructure y mobile and social permiten a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado, relacionado con la clase InvokerTransformer en la librería Apache Commons Collections. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands • https://www.exploit-db.com/exploits/41613 http://www-01.ibm.com/support/docview.wss?uid=swg21970575 http://www-01.ibm.com/support/docview.wss?uid=swg21971342 http://www-01.ibm.com/support/docview.wss?uid=swg21971376 http://www-01.ibm.com/support/docview.wss?uid=swg21971733 http://www-01.ibm.com/support/docview.wss? •