CVE-2009-1173
https://notcve.org/view.php?id=CVE-2009-1173
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used. IBM WebSphere Application Server (WAS) v7.0 anterior a v7.0.0.3 utiliza permisos débiles (777) para ficheros asociados con "correcciones parciales" sin especificar, lo que permite a atacantes modificar ficheros que podría no haber estado accesible si los fueran utilizados los permisos 755. • http://secunia.com/advisories/34131 http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg1PK77590 http://www-01.ibm.com/support/docview.wss?uid=swg1PK82988 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34259 http://www.vupen.com/english/advisories/2009/0854 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-0892
https://notcve.org/view.php?id=CVE-2009-0892
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout. La consola de administración en IBM WebSphere Application Server (WAS) v6.1 versiones anteriores a v6.1.0.23 y v7.0 versiones anteriores a v7.0.0.3 permite a atacantes secuestrar sesiones de usuarios en "escenarios específicos" relacionados con cierres de sesión forzadas. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg1PK74966 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34501 https://exchange.xforce.ibmcloud.com/vulnerabilities/49499 • CWE-287: Improper Authentication •
CVE-2009-0891
https://notcve.org/view.php?id=CVE-2009-0891
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. El componente Web Services Security en IBM WebSphere Application Server v7.0 anterior a Fix Pack 1 (v7.0.0.1), v6.1 anterior a Fix Pack 23 (v6.1.0.23),y v6.0.2 anterior Fix Pack 33 (v6.0.2.33) no respeta los valores (1)nonce y (2)timestamp expiration en los vínculos WS-Security tal y como se almacenan en la propiedad com.ibm.wsspi.wssecurity.core, lo que permite a usuarios remotos autenticados dirigir ataques de hijacking de sesión. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only https://exchange.xforce.ibmcloud.com/vulnerabilities/49391 • CWE-287: Improper Authentication •
CVE-2009-0508
https://notcve.org/view.php?id=CVE-2009-0508
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v5.1.0, v5.1.1.19, v6.0.2 anteriores a v6.0.2.35, v6.1 anteriores a v6.1.0.23, y v7.0 anteriores a v7.0.0.3 permite a atacantes remotos leer ficheros de su elección contenidos en los fichero "war" de (1) el directorio web-inf, (2) el directorio "meta-inf", y otros directorios no especificados mediante vectores desconocidos, relacionados con (a) aplicaciones web y (b) la consola de administración. • http://secunia.com/advisories/34283 http://secunia.com/advisories/34876 http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24022456 http://www-01.ibm.com/support/docview.wss?uid=swg1PK81387 http://www-01.ibm.com/support/docview.wss?uid=swg21380233 http://www-01.ibm.com/support/docview.wss?uid=swg21380376 http://www-01.ibm.com/support/docview.wss? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-0856
https://notcve.org/view.php?id=CVE-2009-0856
Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Varias vulnerabilidades de tipo Cross-Site Scripting (XSS) en aplicaciones de muestra en IBM WebSphere Application Server (WAS) versión 6.0.2 anteriores a 6.0.2.35, y versión 6.1 anterior a 6.1.0.23 en z/OS, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. • http://securitytracker.com/id?1021811 http://www-01.ibm.com/support/docview.wss?uid=swg1PK76720 http://www-01.ibm.com/support/docview.wss?uid=swg1PK81212 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www.securityfocus.com/bid/34001 http://www.vupen.com/english/advisories/2009/0607 http://www.vupen.com/english/advisories/2009/1464 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •