CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-1194
https://notcve.org/view.php?id=CVE-2017-1194
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123669. IBM WebSphere Application Server versiones 7.0, 8.0, 8.5 y 9.0 son vulnerables a falsificación de petición en sitios cruzados (CSRF) lo que podría permitir a un atacante ejecutar acciones malintencionadas y no autorizadas transmitidas a través de un usuario que confía en el sitio web. IBM X-Force ID: 123669. • http://www.ibm.com/support/docview.wss?uid=swg22001226 http://www.securityfocus.com/bid/98142 http://www.securitytracker.com/id/1038378 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-1151
https://notcve.org/view.php?id=CVE-2017-1151
IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID Connect (OIDC) configured with a Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. IBM Reference #: 1999293. IBM WebSphere Application Server 8.0, 8.5, 8.5.5 y 9.0 usando OpenID Connect (OIDC) configurado con un interceptor de asociación de confianza (TAI) podría permitir a un usuario obtener elevados privilegios en el sistema. IBM Reference #: 1999293. • http://www.ibm.com/support/docview.wss?uid=swg21999293 http://www.securityfocus.com/bid/96841 http://www.securitytracker.com/id/1037984 •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2017-1121
https://notcve.org/view.php?id=CVE-2017-1121
IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1997743 IBM WebSphere Application Server 7.0, 8.0 y 9.0 es vulnerable a las secuencias de comandos en sitios cruzados. Esta vulnerabilidad permite a los usuarios integrar código JavaScript arbitrario en la interfaz de usuario Web, alterando así la funcionalidad prevista conduciendo potencialmente a la divulgación de credenciales dentro de una sesión de confianza. IBM Reference #: 1997743 • http://www.ibm.com/support/docview.wss?uid=swg21997743 http://www.securityfocus.com/bid/96164 http://www.securitytracker.com/id/1037806 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2016-8919
https://notcve.org/view.php?id=CVE-2016-8919
IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. IBM WebSphere Application Server puede ser vulnerable a una denegación de servicio, provocada al permitir que los objetos serializados de fuentes no fiables se ejecuten y causen el consumo de recursos. • http://www.ibm.com/support/docview.wss?uid=swg21993797 http://www.securityfocus.com/bid/95650 http://www.securitytracker.com/id/1037710 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2016-9879 – Security: Improper handling of path parameters allows bypassing the security constraint
https://notcve.org/view.php?id=CVE-2016-9879
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. • http://www.securityfocus.com/bid/95142 https://access.redhat.com/errata/RHSA-2017:1832 https://pivotal.io/security/cve-2016-9879 https://access.redhat.com/security/cve/CVE-2016-9879 https://bugzilla.redhat.com/show_bug.cgi?id=1409838 • CWE-20: Improper Input Validation CWE-417: Communication Channel Errors •