Page 2 of 11 results (0.025 seconds)

CVSS: 10.0EPSS: 2%CPEs: 19EXPL: 1

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x y 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x y 5.x; Enterprise Application Platform 6.x, 5.x y 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x y Red Hat Subscription Asset Manager 1.3 permiten que atacantes remotos ejecuten comandos arbitrarios mediante un objeto Java serializado manipulado. Esto está relacionado con la librería ACC (Apache Commons Collections). It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. • https://github.com/ianxtianxt/CVE-2015-7501 http://rhn.redhat.com/errata/RHSA-2015-2500.html http://rhn.redhat.com/errata/RHSA-2015-2501.html http://rhn.redhat.com/errata/RHSA-2015-2502.html http://rhn.redhat.com/errata/RHSA-2015-2514.html http://rhn.redhat.com/errata/RHSA-2015-2516.html http://rhn.redhat.com/errata/RHSA-2015-2517.html http://rhn.redhat.com/errata/RHSA-2015-2521.html http://rhn.redhat.com/errata/RHSA-2015-2522.html http://rhn.redhat. • CWE-284: Improper Access Control CWE-502: Deserialization of Untrusted Data •

CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 1

Nokogiri before 1.5.4 is vulnerable to XXE attacks Nokogiri versiones anteriores a 1.5.4, es vulnerable a ataques de tipo XXE. • https://bugzilla.redhat.com/show_bug.cgi?id=1178970 https://github.com/sparklemotion/nokogiri/issues/693 https://nokogiri.org/CHANGELOG.html#154-2012-06-12 https://access.redhat.com/security/cve/CVE-2012-6685 • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •

CVSS: 7.5EPSS: 0%CPEs: 39EXPL: 0

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request. Vulnerabilidad de salto de directorio en actionpack/lib/abstract_controller/base.rb en la implementación implicit-render en Ruby on Rails anterior a 3.2.18, 4.0.x anterior a 4.0.5 y 4.1.x anterior a 4.1.1, cuando ciertas configuraciones de coincidencia de patrones en rutas basadas en caracteres comodín (globbing) están habilitadas, permite a atacantes remotos leer archivos arbitrarios a través de una solicitud manipulada. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted request. • http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf http://rhn.redhat.com/errata/RHSA-2014-1863.html http://www.securityfocus.com/bid/67244 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ https://access.redhat.com/security/cve/CVE-2014-0130 https://bugzilla.redhat.com/show_bug.cgi?id=1095105 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.3EPSS: 0%CPEs: 5EXPL: 0

Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does not specify a scheme, which has unspecified impact and attack vectors. Candlepin en Red Hat Subscription Asset Manager v1.0 hasta v1.3 utiliza un esquema de autenticación débil cuando el archivo de configuración no especifica un esquema, lo cual tiene un impacto no especificado y vectores de ataque. • http://rhn.redhat.com/errata/RHSA-2013-1863.html https://bugzilla.redhat.com/show_bug.cgi?id=1042677 https://exchange.xforce.ibmcloud.com/vulnerabilities/90134 https://access.redhat.com/security/cve/CVE-2013-6439 • CWE-287: Improper Authentication CWE-290: Authentication Bypass by Spoofing •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1

Cross-site scripting (XSS) vulnerability in the Notifications form in Red Hat Subscription Asset Manager before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the username field. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en los Notifications de Red Hat Subscription Asset Manager antes de v1.2.1 que permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo de nombre de usuario (Username) • http://rhn.redhat.com/errata/RHSA-2013-0686.html http://secunia.com/advisories/52774 http://www.osvdb.org/91718 https://bugzilla.redhat.com/show_bug.cgi?id=918784 https://access.redhat.com/security/cve/CVE-2013-1823 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •