Page 39 of 216 results (0.011 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2016-2104 – 5: stored and reflected XSS vulnerabilities

https://notcve.org/view.php?id=CVE-2016-2104

Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the label parameter to admin/BunchDetail.do; (2) the package_name, (3) search_subscribed_channels, or (4) channel_filter parameter to software/packages/NameOverview.do; or unspecified vectors related to (5) <input:hidden> or (6) <bean:message> tags. Varias vulnerabilidades de XSS en Red Hat Satellite 5 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro label a admin/BunchDetail.do; (2) el package_name, (3) search_subscribed_channels o (4) el parámetro channel_filter a software/packages/NameOverview.do; O vectores no especificados relacionados con (5) o (6) tags. Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users. • http://rhn.redhat.com/errata/RHSA-2016-0590.html https://bugzilla.redhat.com/show_bug.cgi?id=1305677 https://bugzilla.redhat.com/show_bug.cgi?id=1313515 https://access.redhat.com/security/cve/CVE-2016-2104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2016-3079 – spacewalk-java: Multiple XSS issues in WebUI

https://notcve.org/view.php?id=CVE-2016-3079

Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM). Múltiples vulnerabilidades de XSS en la Web UI en Spacewalk y Red Hat Satellite 5.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) PATH_INFO en systems/SystemEntitlements.do; (2) el parámetro label en admin/multiorg/EntitlementDetails.do; o el nombre de (3) una etiqueta snapshot o (4) un grupo de sistema en System Set Manager (SSM). Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. • http://rhn.redhat.com/errata/RHSA-2016-0590.html https://bugzilla.redhat.com/show_bug.cgi?id=1320444 https://bugzilla.redhat.com/show_bug.cgi?id=1320452 https://bugzilla.redhat.com/show_bug.cgi?id=1320940 https://github.com/spacewalkproject/spacewalk/commit/7920542f https://github.com/spacewalkproject/spacewalk/commit/7b9ff9ad https://github.com/spacewalkproject/spacewalk/commit/982b11c9 https://github.com/spacewalkproject/spacewalk/commit/b6491eba https://access.redhat.com/security/cve/CVE-2016&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0

CVE-2015-5041 – JDK: J9 JVM allows code to invoke non-public interface methods

https://notcve.org/view.php?id=CVE-2015-5041

The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods. El JVM J9 en IBM SDK, Java Technology Edition 6 en versiones anteriores a SR16 FP20, 6 R1 en versiones anteriores a SR8 FP20, 7 en versiones anteriores a SR9 FP30 y 7 R1 en versiones anteriores a SR3 FP30 permite a atacantes remotos obtener información sensible o inyectar datos invocando a métodos de interfaz no públicos. • http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00032.html http://www-01.ibm.com/support/docview.wss?uid=swg1IV72872 http://www-01.ibm.com/support/docview.wss?uid=swg21974194 http://www.securityfocus.com/bid/82451 https://access.redhat.com/errata/RHSA-201 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0

CVE-2015-5233 – foreman: reports show/destroy not restricted by host authorization

https://notcve.org/view.php?id=CVE-2015-5233

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs. Foreman en versiones anteriores a 1.8.4 y 1.9.x en versiones anteriores a 1.9.1 no aplica correctamente los permisos view_hosts, lo que permite (1) a usuarios remotos autenticados con el permiso view_reports leer informes desde hosts arbitrarios o (2) a usuarios remotos autenticados con el permiso destroy_reports borrar informes desde hosts arbitrarios a través del acceso directo a (a) las páginas show/delete del informe individual o (b) APIs. A flaw was discovered where Satellite failed to properly enforce permissions on the show and delete actions for reports. An authenticated user with show or delete report permissions could use this flaw to view or delete any reports held in Foreman. • http://projects.theforeman.org/issues/11579 http://theforeman.org/security.html#CVE-2015-5233:reportsshow/destroynotrestrictedbyhostauthorization https://access.redhat.com/errata/RHSA-2015:2622 https://access.redhat.com/security/cve/CVE-2015-5233 https://bugzilla.redhat.com/show_bug.cgi?id=1262443 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •

CVSS: 2.1EPSS: 0%CPEs: 30EXPL: 0

CVE-2015-5006 – JDK: local disclosure of kerberos credentials cache

https://notcve.org/view.php?id=CVE-2015-5006

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR2, 7 R1 before SR3 FP20, 7 before SR9 FP20, 6 R1 before SR8 FP15, and 6 before SR16 FP15 allow physically proximate attackers to obtain sensitive information by reading the Kerberos Credential Cache. IBM Java Security Components en IBM SDK, Java Technology Edition 8 en versiones anteriores a SR2, 7 R1 en versiones anteriores a SR3 FP20, 7 en versiones anteriores a SR9 FP20, 6 R1 en versiones anteriores a SR8 FP15 y 6 en versiones anteriores a SR16 FP15 permite a atacantes físicamente próximos obtener información sensible mediante la lectura del Kerberos Credential Cache. • http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •