CVSS: 4.8EPSS: 9%CPEs: 17EXPL: 2CVE-2017-14651
https://notcve.org/view.php?id=CVE-2017-14651
21 Sep 2017 — WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. WSO2 Data Analytics Server 3.1.0 tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en carbon/resources/add_collection_ajaxprocessor.jsp mediante los parámetros collectionName o parentPath. • https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4CVE-2016-4311 – WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-4311
13 Aug 2016 — Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request. Vulnerabilidad de CSRF en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 permite a atacantes remotos secuestrar la autenticación de usuarios privilegiados para solicitudes que procesan solicitudes XACML a través de una solicitud... • https://packetstorm.news/files/id/138329 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 4CVE-2016-4312 – WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-4312
13 Aug 2016 — XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. Vulnerabil... • https://packetstorm.news/files/id/138329 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.9EPSS: 23%CPEs: 1EXPL: 5CVE-2016-4314 – WSO2 Carbon 4.4.5 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2016-4314
13 Aug 2016 — Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp. Vulnerabilidad de salto de directorio en el LogViewer Admin Service en WSO2 Carbon 4.4.5 permite a administradores remotos autenticados leer archivos arbitrarios a través de un .. (punto punto) en el parámetro logFile para downloadgz-ajaxprocessor.jsp. DuckieTV CMS version 1.1.5 su... • https://packetstorm.news/files/id/144612 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.7EPSS: 2%CPEs: 1EXPL: 4CVE-2016-4315 – WSO2 Carbon 4.4.5 - Denial of Service / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2016-4315
13 Aug 2016 — Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp. Vulnerabilidad de CSRF en WSO2 Carbon 4.4.5 permite a atacantes remotos secuestrar la autenticación de usuarios privilegiados para solicitudes que apagan un servidor a través de una acción de cierre de server-admin/proxy_ajaxprocessor.jsp. WSO2 Carbon version 4.4.5 suffe... • https://packetstorm.news/files/id/138332 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 4CVE-2016-4316 – WSO2 Carbon 4.4.5 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-4316
13 Aug 2016 — Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to webapp-list/webapp_info.jsp; the (4) dsName or (5) description parameter to ndatasource/newdatasource.jsp; the (6) phase parameter to viewflows/handlers.jsp; or the (7) url parameter to ndatasource/validateconnection-ajaxprocessor.jsp. Múltiples vulnerabilidades ... • https://packetstorm.news/files/id/138331 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-4327 – WSO2 SOA Enablement Server Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-4327
17 May 2016 — Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad XSS en WSO2 SOA Enablement Server para Java/6.6 build SSJ-6.6-20090816-1616 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO. WSO2 SOA Enablement server suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/137073 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •