CVE-2017-1151
https://notcve.org/view.php?id=CVE-2017-1151
IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID Connect (OIDC) configured with a Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. IBM Reference #: 1999293. IBM WebSphere Application Server 8.0, 8.5, 8.5.5 y 9.0 usando OpenID Connect (OIDC) configurado con un interceptor de asociación de confianza (TAI) podría permitir a un usuario obtener elevados privilegios en el sistema. IBM Reference #: 1999293. • http://www.ibm.com/support/docview.wss?uid=swg21999293 http://www.securityfocus.com/bid/96841 http://www.securitytracker.com/id/1037984 •
CVE-2017-1121
https://notcve.org/view.php?id=CVE-2017-1121
IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1997743 IBM WebSphere Application Server 7.0, 8.0 y 9.0 es vulnerable a las secuencias de comandos en sitios cruzados. Esta vulnerabilidad permite a los usuarios integrar código JavaScript arbitrario en la interfaz de usuario Web, alterando así la funcionalidad prevista conduciendo potencialmente a la divulgación de credenciales dentro de una sesión de confianza. IBM Reference #: 1997743 • http://www.ibm.com/support/docview.wss?uid=swg21997743 http://www.securityfocus.com/bid/96164 http://www.securitytracker.com/id/1037806 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-8919
https://notcve.org/view.php?id=CVE-2016-8919
IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. IBM WebSphere Application Server puede ser vulnerable a una denegación de servicio, provocada al permitir que los objetos serializados de fuentes no fiables se ejecuten y causen el consumo de recursos. • http://www.ibm.com/support/docview.wss?uid=swg21993797 http://www.securityfocus.com/bid/95650 http://www.securitytracker.com/id/1037710 • CWE-399: Resource Management Errors •
CVE-2016-9879 – Security: Improper handling of path parameters allows bypassing the security constraint
https://notcve.org/view.php?id=CVE-2016-9879
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. • http://www.securityfocus.com/bid/95142 https://access.redhat.com/errata/RHSA-2017:1832 https://pivotal.io/security/cve-2016-9879 https://access.redhat.com/security/cve/CVE-2016-9879 https://bugzilla.redhat.com/show_bug.cgi?id=1409838 • CWE-20: Improper Input Validation CWE-417: Communication Channel Errors •
CVE-2016-0378
https://notcve.org/view.php?id=CVE-2016-0378
IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3, when the installation lacks a default error page, allows remote attackers to obtain sensitive information by triggering an exception. IBM WebSphere Application Server (WAS) Liberty en versiones anteriores a 16.0.0.3, cuando la instalación carece de una página de error predeterminada, permite a atacantes remotos obtener información sensible desencadenando una excepción. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI54459 http://www-01.ibm.com/support/docview.wss?uid=swg21981529 http://www.securityfocus.com/bid/93143 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •