CVE-2012-2377 – JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started
https://notcve.org/view.php?id=CVE-2012-2377
JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast. El servicio de diagnóstico JGroups en JBoss Enterprise Portal Platform anterior a v5.2.2, SOA Platform anterior a v5.3.0, y BRMS Platform anterior a v5.3.0, se activa sin necesidad de autenticación cuando se inicia por el canal JGroups, permitiendo a atacantes remotos en redes adyacentes leer la información de diagnóstico a través de una IP multicast especialmente diseñada. • http://rhn.redhat.com/errata/RHSA-2012-1028.html http://rhn.redhat.com/errata/RHSA-2012-1125.html http://rhn.redhat.com/errata/RHSA-2012-1232.html http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn • CWE-287: Improper Authentication •
CVE-2011-2941 – Platform: open URL redirect
https://notcve.org/view.php?id=CVE-2011-2941
Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the initialURI parameter. Vulnerabilidad de redirección abierta en Red Hat JBoss Enterprise Portal Platform anterior a 5.2.0 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL en el parámetro initialURI. • http://rhn.redhat.com/errata/RHSA-2011-1822.html https://access.redhat.com/security/cve/CVE-2011-2941 https://bugzilla.redhat.com/show_bug.cgi?id=732342 • CWE-20: Improper Input Validation •
CVE-2011-4580 – Platform: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2011-4580
Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en Red Hat JBoss Enterprise Portal Platform anterior a 5.2.0 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2011-1822.html https://access.redhat.com/security/cve/CVE-2011-4580 https://bugzilla.redhat.com/show_bug.cgi?id=760845 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)
https://notcve.org/view.php?id=CVE-2011-4085
The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1.2, SOA Platform anterior a v5.2.0, BRMS Platform anterior a v5.3.0, y Portal Platform anterior a v4.3 CP07 lleva a cabo el control de acceso sólo para los métodos GET y POST, lo que permite a atacantes remotos evitar la autenticación mediante el envío de una solicitud con un método diferente. NOTA: esta vulnerabilidad se debe a CVE-2010-0738 • http://rhn.redhat.com/errata/RHSA-2011-1456.html http://rhn.redhat.com/errata/RHSA-2011-1798.html http://rhn.redhat.com/errata/RHSA-2011-1799.html http://rhn.redhat.com/errata/RHSA-2011-1800.html http://rhn.redhat.com/errata/RHSA-2011-1805.html http://rhn.redhat.com/errata/RHSA-2011-1822.html http://rhn.redhat.com/errata/RHSA-2012-0091.html http://rhn.redhat.com/errata/RHSA-2012-1028.html http://secunia.com/advisories/47169 http://secunia.com/advisories • CWE-287: Improper Authentication •