CVE-2014-4834
https://notcve.org/view.php?id=CVE-2014-4834
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. IBM WebSphere Commerce 6.x hasta 6.0.0.11 y 7.x hasta 7.0.0.8 no detecta debidamente la recursión durante la expansión de entidades, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria y CPU y caída de aplicación) a través de un documento XML manipulado que contiene un número grande de referencias de entidades anidadas, un problema similar a CVE-2003-1564. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR49897 http://www-01.ibm.com/support/docview.wss?uid=swg1JR50553 http://www-01.ibm.com/support/docview.wss?uid=swg21685464 http://www.securityfocus.com/bid/70870 https://exchange.xforce.ibmcloud.com/vulnerabilities/95628 •
CVE-2014-0943
https://notcve.org/view.php?id=CVE-2014-0943
IBM WebSphere Commerce 6.0 Feature Pack 2 through Feature Pack 5, 7.0.0.0 through 7.0.0.8, and 7.0 Feature Pack 1 through Feature Pack 7 allows remote attackers to cause a denial of service (resource consumption and daemon crash) via a malformed id parameter in a request. IBM WebSphere Commerce 6.0 Feature Pack 2 hasta Feature Pack 5, 7.0.0.0 hasta 7.0.0.8 y 7.0 Feature Pack 1 hasta Feature Pack 7 permite a atacantes remotos causar una denegación de servicio (consumo de recursos y caída de demonio) a través de un parámetro id malformado en una solicitud. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR49881 http://www-01.ibm.com/support/docview.wss?uid=swg1JR49996 http://www-01.ibm.com/support/docview.wss?uid=swg21671377 http://www.securitytracker.com/id/1030284 https://exchange.xforce.ibmcloud.com/vulnerabilities/92402 • CWE-20: Improper Input Validation •
CVE-2013-2992
https://notcve.org/view.php?id=CVE-2013-2992
The Search component in IBM WebSphere Commerce 7.0 FP4 through FP6, in certain search-term association configurations, allows remote attackers to cause a denial of service via a crafted query. El componente de búsqueda en IBM WebSphere Commerce 7.0 FP4 hasta la versión FP6, en determinadas configuraciones de asociaciones búsqueda-termino, permite a atacantes remotos provocar una denegación de servicio a través de una consulta manipulada. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR46013 http://www-01.ibm.com/support/docview.wss?uid=swg1JR47273 http://www-01.ibm.com/support/docview.wss?uid=swg1JR47295 http://www-01.ibm.com/support/docview.wss?uid=swg1JR47313 http://www-01.ibm.com/support/docview.wss? • CWE-20: Improper Input Validation •
CVE-2013-0566
https://notcve.org/view.php?id=CVE-2013-0566
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Accelerator JSPs, (2) Organization Administration Console JSPs, and (3) Administration Console JSPs in WebSphere Commerce Tools in IBM WebSphere Commerce 5.6.1.0 through 5.6.1.5, 6.0.0.0 through 6.0.0.11, and 7.0.0.0 through 7.0.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de cross-site scripting (XSS) en (1) Accelerator JSPs, (2) Organization Administration Console JSPs, y (3) Administration Console JSPs en WebSphere Commerce Tools en IBM WebSphere Commerce c5.6.1.0 hasta v5.6.1.5, c6.0.0.0 hasta v6.0.0.11, y v7.0.0.0 hasta v7.0.0.7, permite a atacantes remotos inyectar secuencias de comandos web o HTML sin especificar a través de vectores sin especificar. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR46776 http://www.ibm.com/support/docview.wss?uid=swg21647750 https://exchange.xforce.ibmcloud.com/vulnerabilities/83139 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-2994
https://notcve.org/view.php?id=CVE-2013-2994
IBM WebSphere Commerce 7.0 Feature Pack 4 and Feature Pack 5 incorrectly maintains a valid session after unspecified interaction with REST services, which allows remote attackers to issue REST requests in the context of an arbitrary user's active session via unknown vectors. IBM WebSphere Commerce 7.0 Feature Pack 4 y Feature Pack 5, mantiene incorrectamente una sesión válida tras una interacción sin especificar con los servicios REST, lo que permite a atacantes remotos emitir peticiones REST en el contexto de una sesión de un usuario arbitrario, a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR45420 http://www-01.ibm.com/support/docview.wss?uid=swg21644393 https://exchange.xforce.ibmcloud.com/vulnerabilities/84033 • CWE-20: Improper Input Validation •