CVE-2010-2328
https://notcve.org/view.php?id=CVE-2010-2328
The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression. El HTTP Channel en IBM WebSphere Application Server (WAS) v7.0 anteriores a v7.0.0.11 permite a atacantes remotos provocar una denegación de servicio ( NullPointerException) a través de una gran cantidad de datos truncados que utilicen la compresión gzip. • http://www-01.ibm.com/support/docview.wss?uid=swg1PM08894 http://www-01.ibm.com/support/docview.wss?uid=swg1PM15829 •
CVE-2010-2325
https://notcve.org/view.php?id=CVE-2010-2325
Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection." Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados - XSS - en la consola de administración de WebSphere Application Server (WAS) v7.0 anteriores a v7.0.0.11 en z/OS, permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través de vectores no especificados, relativos en parte a "inyección URL". • http://secunia.com/advisories/40096 http://www-01.ibm.com/support/docview.wss?uid=swg1PM11778 http://www-01.ibm.com/support/docview.wss?uid=swg1PM15830 http://www.vupen.com/english/advisories/2010/1411 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2326
https://notcve.org/view.php?id=CVE-2010-2326
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file. IBM WebSphere Application Server (WAS) v7.0 anteriores a v7.0.0.11, cuando addNode-trace se utiliza mientras la federación de nodos, permite a atacantes remotos conseguir información sensible acercad de acciones de la traza CIMMetadataCollectorImpl leyendo el fichero addNode.log. • http://secunia.com/advisories/40096 http://www-01.ibm.com/support/docview.wss?uid=swg1PM10684 http://www-01.ibm.com/support/docview.wss?uid=swg1PM15830 http://www.osvdb.org/65438 http://www.securityfocus.com/bid/40699 http://www.vupen.com/english/advisories/2010/1411 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2010-2087
https://notcve.org/view.php?id=CVE-2010-2087
Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. Oracle Mojarra v1.2_14 y v2.0.2, utilizado en IBM WebSphere Application Server, Caucho Resin, y otras aplicaciones, no maneja adecuadamente un estado de vista sin cifrar, lo que permite a atacantes remotos dirigir ataques de secuencias de comandos en sitios cruzados (XSS) o ejecutar sentencias del lenguaje de expresión (EL) a través de vectores que pretenden modificar las vistas de objetos serializados. • http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-0774
https://notcve.org/view.php?id=CVE-2010-0774
The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 do not properly handle WebServices PKCS#7 and PKIPath tokens, which allows remote attackers to bypass intended access restrictions via unspecified vectors. La implementaciones (1) JAX-RPC WS-Security v1.0 y (2) JAX-WS en IBM WebSphere Application Server (WAS) v6.0 anteriores a v6.0.2.41, v6.1 anteriores a v6.1.0.31, y v7.0 anteriores a v7.0.0.11 no manejan de forma adecuada los elementos WebServices PKCS#7 and PKIPath, lo que permite a usuarios remotos saltarse las restricciones de acceso a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1PK96427 https://exchange.xforce.ibmcloud.com/vulnerabilities/58554 • CWE-264: Permissions, Privileges, and Access Controls •