CVSS: 4.8EPSS: 0%CPEs: 17EXPL: 2CVE-2017-14651
https://notcve.org/view.php?id=CVE-2017-14651
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. WSO2 Data Analytics Server 3.1.0 tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en carbon/resources/add_collection_ajaxprocessor.jsp mediante los parámetros collectionName o parentPath. • https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 https://github.com/cybersecurityworks/Disclosed/issues/15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2016-4311 – WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-4311
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request. Vulnerabilidad de CSRF en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 permite a atacantes remotos secuestrar la autenticación de usuarios privilegiados para solicitudes que procesan solicitudes XACML a través de una solicitud entitlement/eval-policy-submit.jsp. WSO2 Identity Server version 5.1.0 suffers from cross site request forgery and XML external-entity injection vulnerabilities. • https://www.exploit-db.com/exploits/40239 http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html http://www.securityfocus.com/archive/1/539199/100/0/threaded http://www.securityfocus.com/bid/92485 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2016-4312 – WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-4312
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. Vulnerabilidad de XXE en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 en versiones anteriores a WSO2-CARBON-PATCH-4.4.0-0231 permite a usuarios remotos autenticados con acceso a características XACML leer archivos arbitrarios, provocar una denegación de servicio, realizar ataques de SSRF o tener otros impactos no especificados a través de una solicitud de XACML creada para entitlement/eval-policy-submit.jsp. NOTA: este problema se puede combinar con CVE-2016-4311 para explotar la vulnerabilidad sin credenciales. WSO2 Identity Server version 5.1.0 suffers from cross site request forgery and XML external-entity injection vulnerabilities. • https://www.exploit-db.com/exploits/40239 http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html http://www.securityfocus.com/archive/1/539199/100/0/threaded http://www.securityfocus.com/bid/92485 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096 • CWE-611: Improper Restriction of XML External Entity Reference •