CVE-2012-4851
https://notcve.org/view.php?id=CVE-2012-4851
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URI. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en IBM WebSphere Application Server v8.5 Liberty Profile antes de v8.5.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un URI diseñada para tal fin. • http://www-01.ibm.com/support/docview.wss?uid=swg1PM68643 http://www.ibm.com/support/docview.wss?uid=swg21614265 http://www.securityfocus.com/bid/56423 https://exchange.xforce.ibmcloud.com/vulnerabilities/79541 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2162
https://notcve.org/view.php?id=CVE-2012-2162
The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. El complemento Web Server en IBM WebSphere Application Server (WAS) v8.0 y anteriores, utilizan comunicaciones sin HTTP cifrar después de la expiración de la contraseña de plugin-key.kdb, lo que permite a atacantes remotos obtener información sensible el tráfico de la red o servidores suplantar arbitrarios mediante un ataque man-in-the-middle. • http://www-01.ibm.com/support/docview.wss?uid=swg21588312 http://www-01.ibm.com/support/docview.wss?uid=swg21591172 https://exchange.xforce.ibmcloud.com/vulnerabilities/74900 • CWE-310: Cryptographic Issues •
CVE-2012-0193
https://notcve.org/view.php?id=CVE-2012-0193
IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.23, and 8.0 before 8.0.0.3 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. IBM WebSphere Application Server (WAS) v6.0 hasta v6.0.2.43, v6.1 antes de v6.1.0.43 6.1, v7.0 antes de v7.0.0.23, v8.0 antes de v8.0.0.3 calcula los valores hash de los parámetros de los formularios sin restringir la posibilidad de ocasionar colisiones hash de una forma predecible, lo que permite provocar una denegación de servicio (por consumo de CPU) a atacantes remotos mediante el envío de gran cantidad de parámetros generados para este fin. • http://osvdb.org/78321 http://www-01.ibm.com/support/docview.wss?uid=swg1PM53930 http://www-01.ibm.com/support/docview.wss?uid=swg21577532 http://www-01.ibm.com/support/docview.wss?uid=swg24031821 • CWE-20: Improper Input Validation •
CVE-2009-2747
https://notcve.org/view.php?id=CVE-2009-2747
The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call. La implementación Java Naming and Directory Interface (JNDI) la aplicación en IBM WebSphere Application Server (WAS) v6.0 anterior a v6.0.2.39, v6.1 anterior a v6.1.0.29 6.1 y v7.0 anterior a v7.0.0.7 no restringe el acceso a métodos de objetos UserRegistry, lo que permite a atacantes remotos para obtener información sensible a través de una llamada al método manipulado. • http://www.ibm.com/support/docview.wss?uid=swg1PK91414 http://www.ibm.com/support/docview.wss?uid=swg1PK99480 https://exchange.xforce.ibmcloud.com/vulnerabilities/54228 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-3271 – IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2010-3271
Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en la Integrated Solutions Console(también conocido como consola administrativa) en IBM WebSphere Application Server (WAS) v7.0.0.13 y anteriores, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que deshabilitan ciertas opciones de seguridad a través de una acción Edit en console/adminSecurityDetail.do seguido de una acción de guardado console/syncworkspace.do. • https://www.exploit-db.com/exploits/17404 http://securityreason.com/securityalert/8281 http://www.coresecurity.com/content/IBM-WebSphere-CSRF http://www.exploit-db.com/exploits/17404 http://www.securityfocus.com/archive/1/518465/100/0/threaded http://www.securityfocus.com/bid/48305 • CWE-352: Cross-Site Request Forgery (CSRF) •