CVSS: 8.0EPSS: 0%CPEs: 8EXPL: 0CVE-2011-2908 – CSRF on jmx-console allows invocation of operations on mbeans
https://notcve.org/view.php?id=CVE-2011-2908
23 Nov 2012 — Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en JMX Console (jmx-console) en JBoss Enterprise Portal... • http://rhn.redhat.com/errata/RHSA-2012-1152.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2011-4605 – JNDI: unauthenticated remote write access is permitted by default
https://notcve.org/view.php?id=CVE-2011-4605
23 Nov 2012 — The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors. El (1) servicio JNDI, (2) servicio HA-JNDI, y (3) servlet HAJNDIFactory en JBoss Enterp... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469 • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2011-1096 – jbossws: Prone to character encoding pattern attack (XML Encryption flaw)
https://notcve.org/view.php?id=CVE-2011-1096
23 Nov 2012 — The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern attack." El estándar W3C XML Encryption, tal como se utiliza en el componente JBoss Web Services (JBossWS) en JBoss Enterprise Portal Platform anterior a v5.2.2 y ... • http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.de • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2012-2377 – JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started
https://notcve.org/view.php?id=CVE-2012-2377
23 Nov 2012 — JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast. El servicio de diagnóstico JGroups en JBoss Enterprise Portal Platform anterior a v5.2.2, SOA Platform anterior a v5.3.0, y BRMS Platform anterior a v5.3.0, se activa sin necesidad de autentica... • http://rhn.redhat.com/errata/RHSA-2012-1028.html • CWE-287: Improper Authentication •