Page 7 of 41 results (0.016 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2013-0314 – Portal: remote unauthenticated site import

https://notcve.org/view.php?id=CVE-2013-0314

The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets. El gadget GateIn Portal de exportación/importación en JBoss Enterprise Portal Platform v5.2.2 no comprueba correctamente la autenticación al importar archivos Zip, lo que permite a atacantes remotos modificar el contenido del sitio, quitar el sitio, o alterar los controles de acceso para los portlets. • http://rhn.redhat.com/errata/RHSA-2013-0613.html http://secunia.com/advisories/52552 http://www.osvdb.org/91120 https://bugzilla.redhat.com/show_bug.cgi?id=913327 https://access.redhat.com/security/cve/CVE-2013-0314 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •

CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0

CVE-2011-2487 – jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key

https://notcve.org/view.php?id=CVE-2011-2487

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. Las implementaciones del mecanismo de transporte de claves PKCS#1 versión v1.5 para XMLEncryption en JBossWS y Apache WSS4J versiones anteriores a 1.6.5, son susceptibles a un ataque de tipo Bleichenbacher A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weakness in chosen-ciphertext attacks to recover the symmetric key and conduct further attacks. • http://cxf.apache.org/note-on-cve-2011-2487.html http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0198.html http://rhn.redhat.com/errata/RHSA-2013-0221.html http://www • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-5531 – Portal: Reflected Cross-Site Scripting (XSS)

https://notcve.org/view.php?id=CVE-2012-5531

Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal in JBoss Enterprise Portal Platform 5.2.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en el portal GateIn en JBoss Enterprise Portal Platform v5.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2013-0141.html http://secunia.com/advisories/51775 https://access.redhat.com/security/cve/CVE-2012-5531 https://bugzilla.redhat.com/show_bug.cgi?id=877234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0

CVE-2011-1096 – jbossws: Prone to character encoding pattern attack (XML Encryption flaw)

https://notcve.org/view.php?id=CVE-2011-1096

The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern attack." El estándar W3C XML Encryption, tal como se utiliza en el componente JBoss Web Services (JBossWS) en JBoss Enterprise Portal Platform anterior a v5.2.2 y otros productos, utilizando las cifras de bloque en el encadenamiento de bloques de cifrado (CBC), permite a atacantes remotos obtener datos en texto plano a través de un ataque "chosen-ciphertext" en las respuestas SOAP. • http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.de http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html http://cxf.apache.org/note-on-cve-2011-1096.html http://dl.acm.org/citation.cfm?id=2046756&dl=ACM&coll=DL http://rhn.redhat.com/errata/RHSA-2012-1301.html http://rhn.redhat.com/errata/RHSA-2012-1330.html http://rhn.redhat.com/errata/RHSA-2012-1344.html http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/R • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 6.0EPSS: 0%CPEs: 8EXPL: 0

CVE-2011-2908 – CSRF on jmx-console allows invocation of operations on mbeans

https://notcve.org/view.php?id=CVE-2011-2908

Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en JMX Console (jmx-console) en JBoss Enterprise Portal Platform anterior a v5.2.2, BRMS Platform v5.3.0 anterior a roll up patch1, y SOA Platform v5.3.0, permite a atacantes remotos autenticados secuestrar la autenticación de usuarios arbitrarios para solicitudes que lleven a cabo operaciones en MBeans y posiblemente ejecutar código arbitrario mediante vectores desconocidos. • http://rhn.redhat.com/errata/RHSA-2012-1152.html http://rhn.redhat.com/errata/RHSA-2012-1165.html http://rhn.redhat.com/errata/RHSA-2012-1232.html http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn • CWE-352: Cross-Site Request Forgery (CSRF) •