
CVE-2018-2588 – OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449)
https://notcve.org/view.php?id=CVE-2018-2588
18 Jan 2018 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: LDAP). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JR... • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •

CVE-2018-2599 – OpenJDK: DnsClient missing source port randomization (JNDI, 8182125)
https://notcve.org/view.php?id=CVE-2018-2599
18 Jan 2018 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, J... • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html • CWE-330: Use of Insufficiently Random Values •

CVE-2018-2602 – OpenJDK: loading of classes from untrusted locations (I18n, 8182601)
https://notcve.org/view.php?id=CVE-2018-2602
18 Jan 2018 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: I18n). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded executes to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability ca... • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html • CWE-426: Untrusted Search Path •

CVE-2018-2603 – OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387)
https://notcve.org/view.php?id=CVE-2018-2603
18 Jan 2018 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (part... • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html • CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2017-7538 – 5: organization name allows XSS
https://notcve.org/view.php?id=CVE-2017-7538
06 Sep 2017 — A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users. Se ha detectado una vulnerabilidad Cross-Site Scripting (XSS) en la manera en la que se muestra un nombre de organización en Satellite 5 en versiones anteriores a la 5.8. Un usuario capaz de cambiar el nombre de una organización podría explotar esta vulnerabilidad para realiz... • http://www.securitytracker.com/id/1039267 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2014-8163
https://notcve.org/view.php?id=CVE-2014-8163
28 Aug 2017 — Directory traversal vulnerability in the XMLRPC interface in Red Hat Satellite 5. Existe una vulnerabilidad de salto de directorio en la interfaz XMLRPC en Red Hat Satellite 5. • https://access.redhat.com/security/cve/cve-2014-8163 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2017-7514 – SAT 5 XSS in the Failed Systems page
https://notcve.org/view.php?id=CVE-2017-7514
21 Jun 2017 — A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. Se ha encontrado un fallo de Cross-Site Scripting (XSS) en la forma en la que la entrada de acción se procesa en Red Hat Satellite en versiones anteriores a la 5.8.0. Un usuario que pueda especificar una acción fallida podría explotar este fallo para realizar ataq... • https://access.redhat.com/errata/RHSA-2017:1558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-7470 – spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks
https://notcve.org/view.php?id=CVE-2017-7470
19 May 2017 — It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py. Se ha encontrado que spacewalk-channel puede ser utilizado por un usuario no administrador o por usuarios deshabilitados para realizar tareas administrativas debido a una verificación de autorización incorrecta en backend/servidor/rhnChannel.py. Spacewalk is an Open Source systems management solution that provides syste... • http://www.securityfocus.com/bid/98569 • CWE-863: Incorrect Authorization •

CVE-2016-3080 – spacewalk-monitoring: XSS issue in monitoring probe
https://notcve.org/view.php?id=CVE-2016-3080
26 Jul 2016 — Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via the (1) RHNMD User or (2) Filesystem parameters, related to display of monitoring probes. Vulnerabilidad de XSS en spacewalk-java en Red Hat Satellite 5.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) RHNMD User o (2) Filesystem, relacionado con la visualización de sondas de monitorización. A... • http://rhn.redhat.com/errata/RHSA-2016-1484.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2016-3097 – spacewalk-java: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2016-3097
26 Jul 2016 — Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via a group name, related to viewing snapshot data. Vulnerabilidad de XSS en spacewalk-java en Red Hat Satellite 5.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de grupo, relacionado con la visualización de datos snapshot. A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java disp... • http://rhn.redhat.com/errata/RHSA-2016-1484.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •