CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2014-4748 – IBM Sametime Meet Server 8.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-4748
Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en Classic Meeting Server en IBM Sametime 8.x hasta 8.5.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. IBM Sametime Meet Server version 8.5 suffers from a reflective cross site scripting vulnerability. • http://linux.oracle.com/errata/ELSA-2014-0747.html http://packetstormsecurity.com/files/127831/IBM-Sametime-Meet-Server-8.5-Cross-Site-Scripting.html http://secunia.com/advisories/60202 http://www-01.ibm.com/support/docview.wss?uid=swg21679221 https://exchange.xforce.ibmcloud.com/vulnerabilities/94350 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2014-3867
https://notcve.org/view.php?id=CVE-2014-3867
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different vulnerability than CVE-2013-3984. Meeting Server en IBM Sametime 8.x hasta 8.5.2.1 y 9.x hasta 9.0.0.1 no incluye la etiqueta HTTPOnly flag en una cabecera Set-Cookie para una cookie no especificada, lo que facilita a atacantes remotos obtener información potencialmente sensible a través de acceso script a esta cookie, una vulnerabilidad diferente a CVE-2013-3984. • http://www-01.ibm.com/support/docview.wss?uid=swg21671201 http://www.securityfocus.com/bid/67659 https://exchange.xforce.ibmcloud.com/vulnerabilities/84967 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2013-3980
https://notcve.org/view.php?id=CVE-2013-3980
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to cause a denial of service (room unusability) by generating a large number of fictitious users to enter a meeting room. Meeting Server en IBM Sametime 8.x hasta 8.5.2.1 y 9.x hasta 9.0.0.1 permite a atacantes remotos causar una denegación de servicio (inutilizabilidad de aula) mediante la generación de un número grande de usuarios ficticios apara entrar en una aula de reunión. • http://www-01.ibm.com/support/docview.wss?uid=swg21671201 https://exchange.xforce.ibmcloud.com/vulnerabilities/84906 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2014-0906
https://notcve.org/view.php?id=CVE-2014-0906
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not check whether a session cookie is current, which allows remote attackers to conduct user-search actions by leveraging possession of a (1) expired or (2) invalidated cookie. Meeting Server en IBM Sametime 8.x hasta 8.5.2.1 y 9.x hasta 9.0.0.1 no comprueba si una cookie de sesión es actual, lo que permite a atacantes remotos realizar acciones de búsqueda de usuario mediante el aprovechamiento de una cookie (1) caducada o (2) invalidada. • http://www-01.ibm.com/support/docview.wss?uid=swg21671201 https://exchange.xforce.ibmcloud.com/vulnerabilities/91854 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 12EXPL: 0CVE-2013-3046
https://notcve.org/view.php?id=CVE-2013-3046
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not send the HSTS Strict-Transport-Security header, which makes it easier for man-in-the-middle attackers to hijack sessions or obtain sensitive information by leveraging the presence of HTTP requests. Meeting Server en IBM Sametime 8.x hasta 8.5.2.1 y 9.x hasta 9.0.0.1 no envía la cabecera HSTS Strict-Transport-Security, lo que facilita a atacantes man-in-the-middle secuestrar sesiones u obtener información sensible mediante el aprovechamiento de la presencia de solicitudes HTTP. • http://www-01.ibm.com/support/docview.wss?uid=swg21671201 https://exchange.xforce.ibmcloud.com/vulnerabilities/84819 • CWE-287: Improper Authentication •