CVE-2011-1359
https://notcve.org/view.php?id=CVE-2011-1359
Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. Vulnerabilidad de salto de directorio en la consola de administración en IBM WebSphere Application Server (WAS) v6.1 anteriores a v6.1.0.41, v7.0 anteriores a v7.0.0.19, y v8.0 anteriores a v8.0.0.1, permite a atacantes remotos leer ficheros locales de su elección al utilizar caracteres .. (punto punto) en la URI. • http://secunia.com/advisories/45749 http://www-01.ibm.com/support/docview.wss?uid=swg1PM45322 http://www.ibm.com/support/docview.wss?uid=swg21509257 http://www.osvdb.org/74817 http://www.securityfocus.com/bid/49362 https://exchange.xforce.ibmcloud.com/vulnerabilities/69473 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2011-1356
https://notcve.org/view.php?id=CVE-2011-1356
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local users to obtain sensitive stack-trace information via a crafted Administration Console request. IBM WebSphere Application Server (WAS) v6.1 y anteriores a v6.1.0.39 y v7 y anteriores a v7.0.0.19 permite a usuarios locales obtener pilas de información de seguimiento a través de una solicitud diseñada para ello de la consola de administración. • http://www.ibm.com/support/docview.wss?uid=swg1PM36620 http://www.ibm.com/support/docview.wss?uid=swg1PM42436 http://www.securityfocus.com/bid/48709 https://exchange.xforce.ibmcloud.com/vulnerabilities/68571 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2011-1355
https://notcve.org/view.php?id=CVE-2011-1355
Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage parameter. Vulnerabilidad "Open redirect" en IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.39 y v7.0 anterior a 7.0.0.19 permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través del parámetro logoutExitPage. • http://www.ibm.com/support/docview.wss?uid=swg1PM35701 http://www.ibm.com/support/docview.wss?uid=swg1PM42436 https://exchange.xforce.ibmcloud.com/vulnerabilities/68570 • CWE-20: Improper Input Validation •
CVE-2010-3271 – IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2010-3271
Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en la Integrated Solutions Console(también conocido como consola administrativa) en IBM WebSphere Application Server (WAS) v7.0.0.13 y anteriores, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que deshabilitan ciertas opciones de seguridad a través de una acción Edit en console/adminSecurityDetail.do seguido de una acción de guardado console/syncworkspace.do. • https://www.exploit-db.com/exploits/17404 http://securityreason.com/securityalert/8281 http://www.coresecurity.com/content/IBM-WebSphere-CSRF http://www.exploit-db.com/exploits/17404 http://www.securityfocus.com/archive/1/518465/100/0/threaded http://www.securityfocus.com/bid/48305 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-1209
https://notcve.org/view.php?id=CVE-2011-1209
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.17 uses a weak WS-Security XML encryption algorithm, which makes it easier for remote attackers to obtain plaintext data from a (1) JAX-RPC or (2) JAX-WS Web Services request via unspecified vectors related to a "decryption attack." El servidor de aplicaciones IBM WebSphere (WAS) 6.1 anteriores a 6.1.0.39 y 7.0 anteriores a 7.0.0.17 utiliza un algoritmo de encriptación XML WS-Security débil, lo que facilita a atacantes remotos obtener texto plano a partir de una petición de Web Services (1) JAX-RPC o (2) JAX-WS a través de vectores sin especificar relacionados con un "ataque de desencriptación". • http://www-01.ibm.com/support/docview.wss?uid=swg1PM34841 http://www-01.ibm.com/support/docview.wss?uid=swg24029632 https://exchange.xforce.ibmcloud.com/vulnerabilities/67115 • CWE-310: Cryptographic Issues •