Page 32 of 166 results (0.012 seconds)

CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0

Cross-site request forgery (CSRF) vulnerability in the JMX Console in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 allows remote attackers to hijack the authentication of administrators for requests that deploy WAR files. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la consola JMX de plataforma de aplicaciones Red Hat JBoss (JBoss EAP o JBEAP) 4.3 anteriores a la 4.3.0.CP09. Permite a usuarios remotos secuestrar (hijack) la autenticación de administradores para peticiones que despliegan ficheros WAR. • http://securitytracker.com/id?1024813 http://www.redhat.com/support/errata/RHSA-2010-0937.html http://www.redhat.com/support/errata/RHSA-2010-0938.html http://www.redhat.com/support/errata/RHSA-2010-0939.html https://bugzilla.redhat.com/show_bug.cgi?id=604617 https://access.redhat.com/security/cve/CVE-2010-3878 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 96%CPEs: 6EXPL: 1

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured. JBoss Seam 2 (jboss-seam2), como el usado en JBoss Enterprise Application Platform v4.3.0 para Red Hat Linux, no sanea adecuadamente las entradas de de la expresiones de Expression LanguageJBoss Expression Language (EL), lo que permite a atacantes remotos ejecutar código de su elección a través de URL manipuladas. NOTA: Solo se da esta vulnerabilidad cuando el Java Security Manager no está configurado adecuadamente. JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. • https://www.exploit-db.com/exploits/36653 http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html http://www.redhat.com/support/errata/RHSA-2010-0564.html http://www.securityfocus.com/bid/41994 http://www.securitytracker.com/id?1024253 http://www.vupen.com/english/advisories/2010/1929 https://bugzilla.redhat.com/show_bug.cgi?id=615956 https://exchange.xforce.ibmcloud.com/vulnerabilities/60794 https://security.netapp.com/advisory/ntap-20161017-0001 https://access.redhat. • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •

CVSS: 7.5EPSS: 96%CPEs: 2EXPL: 5

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. La aplicación web JMX-Console en JBossAs en Red Hat JBoss Enterprise Application Platform (conocido como JBoss EAP o JBEAP) v4.2 anterior v4.2.0.CP09 y v4.3 anterior v4.3.0.CP08 realiza un control de acceso sólo para los métodos GET y POST, lo que permite a a atacantes remotos enviar peticiones en el manejador GET de la aplicación que usan un método diferente. The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. • https://www.exploit-db.com/exploits/17924 https://www.exploit-db.com/exploits/16274 https://www.exploit-db.com/exploits/16316 https://www.exploit-db.com/exploits/16319 http://marc.info/?l=bugtraq&m=132129312609324&w=2 http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35 http://secunia.com/advisories/39563 http://securityreason.com/securityalert/8408 http://securitytracker.com/id?1023918 http://www.securityfocus.com/bid/39710 http://www& • CWE-284: Improper Access Control •

CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 1

Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression. Plataforma de aplicación Red Hat JBoss Enterprise (conocido como JBoss EAP r JBEAP) v4.2 anterior v4.2.0.CP09 y v4.3 anterior v4.3.0.CP08 permite a atacantes remotos obtener información sensible "deployed web contexts" (Contextos web desarrollados) a través de peticiones a servlet de estado, como quedo demostrado con una petición de cadena con full=true. NOTA: esta vulnerabilidad está provocada por una regresión del CVE-2008-3273. JBoss versions 4.2.x and 4.3.x suffer from an information disclosure vulnerability. • http://marc.info/?l=bugtraq&m=132698550418872&w=2 http://secunia.com/advisories/39563 http://securitytracker.com/id?1023918 http://www.securityfocus.com/bid/39710 http://www.vupen.com/english/advisories/2010/0992 https://bugzilla.redhat.com/show_bug.cgi?id=585900 https://exchange.xforce.ibmcloud.com/vulnerabilities/58149 https://rhn.redhat.com/errata/RHSA-2010-0376.html https://rhn.redhat.com/errata/RHSA-2010-0377.html https://rhn.redhat.com/errata/RHSA-2010-0378.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 8%CPEs: 2EXPL: 1

The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method. La consola Web(también conocida como web-console) en JBossAs en Red Hat JBoss Enterprise Application Platform (también conocido como JBoss EAP o JBEAP) v4.2 anterior a v4.2.0.CP09 y v4.3 anterior a v4.3.0.CP08 realiza control de acceso solo para los métodos GET y POST, lo que permite a atacantes remotos obtener información sensible a través de una petición sin especificar que utiliza un métodod diferente Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information. • http://marc.info/?l=bugtraq&m=132698550418872&w=2 http://secunia.com/advisories/39563 http://securitytracker.com/id?1023917 http://www.securityfocus.com/bid/39710 http://www.vupen.com/english/advisories/2010/0992 https://bugzilla.redhat.com/show_bug.cgi?id=585899 https://exchange.xforce.ibmcloud.com/vulnerabilities/58148 https://rhn.redhat.com/errata/RHSA-2010-0376.html https://rhn.redhat.com/errata/RHSA-2010-0377.html https://rhn.redhat.com/errata/RHSA-2010-0378.html •