CVSS: 8.8EPSS: 0%CPEs: 59EXPL: 0CVE-2009-2746
https://notcve.org/view.php?id=CVE-2009-2746
16 Nov 2009 — Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la consola de administración en el componente Security en IBM WebSphere Application Server (WAS) v6.0.2 anteriores a v6.0.2.39, v6... • http://secunia.com/advisories/37221 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 35%CPEs: 93EXPL: 0CVE-2009-0217 – xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
https://notcve.org/view.php?id=CVE-2009-0217
14 Jul 2009 — The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.... • http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161 •
CVSS: 7.1EPSS: 0%CPEs: 59EXPL: 0CVE-2009-0891
https://notcve.org/view.php?id=CVE-2009-0891
25 Mar 2009 — The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. El componente Web Services Security en IBM WebSphere Application Server v7.0 anterior a Fix Pac... • http://secunia.com/advisories/34131 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 1%CPEs: 34EXPL: 0CVE-2009-0508
https://notcve.org/view.php?id=CVE-2009-0508
16 Mar 2009 — The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v5.1.0, v5.1.1.19, v... • http://secunia.com/advisories/34283 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2009-0504
https://notcve.org/view.php?id=CVE-2009-0504
17 Feb 2009 — WSPolicy in the Web Services component in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.1 does not properly recognize the IDAssertion.isUsed binding property, which allows local users to discover a password by reading a SOAP message. WSPolicy en el componente Web Services en IBM WebSphere Application Server (WAS) v7.0.x anterior a v7.0.0.1 no reconoce adecuadamente la propiedad de vínculo IDAssertion.isUsed, lo que permite a usuarios locales descubrir una contraseña leyendo un mensaje SOAP. • http://www-01.ibm.com/support/docview.wss?uid=swg27014463 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 73EXPL: 0CVE-2009-0433
https://notcve.org/view.php?id=CVE-2009-0433
10 Feb 2009 — Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19, when Web Server plug-in content buffering is enabled, allows attackers to cause a denial of service (daemon crash) via unknown vectors, related to a mishandling of client read failures in which clients receive many 500 HTTP error responses and backend servers are incorrectly labeled as down. Vulnerabilidad no especificada en IBM WebSphere Aplication Server (WAS) v5.1.x... • http://www-01.ibm.com/support/docview.wss?uid=swg1PK67161 •
CVSS: 4.7EPSS: 0%CPEs: 56EXPL: 0CVE-2009-0434
https://notcve.org/view.php?id=CVE-2009-0434
10 Feb 2009 — PerfServlet in the PMI/Performance Tools component in IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.31, 6.1.x before 6.1.0.21, and 7.0.x before 7.0.0.1, when Performance Monitoring Infrastructure (PMI) is enabled, allows local users to obtain sensitive information by reading the (1) systemout.log and (2) ffdc files. NOTE: this is probably a duplicate of CVE-2008-5413. PerfServlet en el componente PMI/Performance Tools de IBM WebSphere Application Server (WAS) v6.0.x anterior a v6.0.2.31, v6.1.x ... • http://www-01.ibm.com/support/docview.wss?uid=swg27006876 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 59EXPL: 0CVE-2009-0436
https://notcve.org/view.php?id=CVE-2009-0436
10 Feb 2009 — The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere Application Server (WAS), set incorrect permissions for AF_UNIX sockets, which has unknown impact and local attack vectors. Los módulos (1) mod_ibm_ssl y (2) mod_cgid en IBM HTTP Server v6.0.x anteriores a v6.0.2.31 y v6.1.x anteriores a v6.1.0.19, tal y como se utiliza en WebSphere Application Server (WAS), ajusta incorrectamente los permisos para los sockets AF_UNIX, lo que... • http://www-01.ibm.com/support/docview.wss?uid=swg27006876 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 109EXPL: 0CVE-2008-4284
https://notcve.org/view.php?id=CVE-2008-4284
10 Feb 2009 — Open redirect vulnerability in the ibm_security_logout servlet in IBM WebSphere Application Server (WAS) 5.1.1.19 and earlier 5.x versions, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage feature. Vulnerabilidad de redirección abierta en ibm_security_logout servlet en IBM WebSphere Application Server (WAS) v5.1.1.19 y anteriores a las versiones v5.x, v6.0.x anterior a v6.0.2.33, y v6.1.x ant... • http://www-1.ibm.com/support/docview.wss?uid=swg21320242 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2008-5411
https://notcve.org/view.php?id=CVE-2008-5411
10 Dec 2008 — IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 sends SSL traffic over "unsecured TCP," which makes it easier for remote attackers to obtain sensitive information by sniffing the network. IBM WebSphere Application Server (WAS) 7 y versiones anteriores 7.0.0.1 que envía tráfico SSL sobre "TCP inseguro", el cual hace más fácil para usuarios remotos obtener información sensible, rastreando la red. • http://secunia.com/advisories/33022 • CWE-310: Cryptographic Issues •