CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5398 – stored XSS in JBoss BPM suite business process editor
https://notcve.org/view.php?id=CVE-2016-5398
29 Sep 2016 — Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes. Vulnerabilidad de XSS en Business Process Editor en Red Hat JBoss BPM Suite en versiones anteriores a 6.3.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios apalancando los permisos para crear procesos de negocio. A security flaw wa... • http://rhn.redhat.com/errata/RHSA-2016-1968.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6344 – JBoss bpms 6.3.x cookie does not set httponly
https://notcve.org/view.php?id=CVE-2016-6344
07 Sep 2016 — Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies. Red Hat JBoss BPM Suite 6.3.x no incluye el indicador HTTPOnly en una cabecera Set-Cookie para cookies de sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través del acceso con secuencia de comandos a las cookies It was discovered that JBoss... • http://rhn.redhat.com/errata/RHSA-2017-0248.html • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7033 – bpms: stored XSS in dashbuilder
https://notcve.org/view.php?id=CVE-2016-7033
07 Sep 2016 — Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBoss BPM Suite 6.3.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en las páginas de admin en dashbuilder en Red Hat JBoss BPM Suite 6.3.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via dashbuilder. ... • http://rhn.redhat.com/errata/RHSA-2017-0249.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7034 – Dashbuilder: insecure handling of CSRF token
https://notcve.org/view.php?id=CVE-2016-7034
07 Sep 2016 — The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. El dashbuilder en Red Hat JBoss BPM Suite 6.3.2 no maneja adecuadamente tokens CSRF generados durante una sesión activa y los incluye en cadenas query, lo que facilita a atacantes remotos (1... • http://rhn.redhat.com/errata/RHSA-2017-0557.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 3%CPEs: 14EXPL: 1CVE-2016-4999 – Dashbuilder: SQL Injection on data set lookup filters
https://notcve.org/view.php?id=CVE-2016-4999
14 Jul 2016 — SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI. Vulnerabilidad de inyección SQL en el método getStringParameterSQL en main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java en Dashbuilder en versiones anteriores a 0.6.0.Beta1 p... • https://github.com/shanika04/dashbuilder • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 71%CPEs: 19EXPL: 1CVE-2015-7501 – apache-commons-collections: InvokerTransformer code execution during deserialisation
https://notcve.org/view.php?id=CVE-2015-7501
20 Nov 2015 — Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collect... • https://github.com/ianxtianxt/CVE-2015-7501 • CWE-284: Improper Access Control CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-1818 – dashbuilder: XXE/SSRF vulnerability
https://notcve.org/view.php?id=CVE-2015-1818
04 Aug 2015 — XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org.jboss.dashboard.export.ImportManagerImpl) in Red Hat JBoss BPM Suite before 6.1.2 allows remote attackers to read arbitrary files, conduct server-side request forgery (SSRF) attacks, and have other unspecified impact via a crafted XML document. Vulnerabilidad en la entidad externa XML (XXE) en dashbuilder import facility (DocumentBuilders in org.jboss.dashboard.export.ImportManagerImpl) en Red Hat JBoss BPM S... • http://rhn.redhat.com/errata/RHSA-2015-1539.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6468 – Drools: Remote Java Code Execution in MVEL
https://notcve.org/view.php?id=CVE-2013-6468
03 Apr 2014 — JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression. JBoss Drools, Red Hat JBoss BRMS anterior a 6.0.1 y Red Hat JBoss BPM Suite anterior a 6.0.1 permite a usuarios remotos autenticados ejecutar código Java arbitrario a través de una expresión (1) MVFLEX Expression Language (MVEL) o (2) Drools Red Hat JBoss BPM Suite is a business rules man... • http://rhn.redhat.com/errata/RHSA-2014-0371.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •