CVSS: 4.3EPSS: 0%CPEs: 44EXPL: 0CVE-2014-9649 – RabbitMQ: /api/... XSS vulnerability
https://notcve.org/view.php?id=CVE-2014-9649
Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message. Vulnerabilidad de XSS en el plugin de gestión en RabbitMQ 2.1.0 hasta 3.4.x anterior a 3.4.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la información de rutas en api/, lo que no se maneja correctamente en un mensaje de error. A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped). • http://rhn.redhat.com/errata/RHSA-2016-0308.html http://www.openwall.com/lists/oss-security/2015/01/21/13 http://www.rabbitmq.com/release-notes/README-3.4.1.txt http://www.securityfocus.com/bid/76084 https://groups.google.com/forum/#%21topic/rabbitmq-users/-3Z2FyGtXhs https://access.redhat.com/security/cve/CVE-2014-9649 https://bugzilla.redhat.com/show_bug.cgi?id=1185514 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9494
https://notcve.org/view.php?id=CVE-2014-9494
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. RabbitMQ anterior a 3.4.0 permite a atacantes remotos evadir la restricción loopback_users a través de una cabecera X-Forwareded-For manipulada. • http://seclists.org/oss-sec/2015/q1/30 http://www.rabbitmq.com/release-notes/README-3.4.0.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/99685 https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM • CWE-264: Permissions, Privileges, and Access Controls •