CVSS: 5.8EPSS: 1%CPEs: 2EXPL: 0CVE-2013-7398 – async-http-client: missing hostname verification for SSL certificates
https://notcve.org/view.php?id=CVE-2013-7398
17 Apr 2015 — main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate. main/java/com/ning/http/client/AsyncHttpClientConfig.java en Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 no requiere una coincidencia de nombre de anfitrión durante la verif... • http://openwall.com/lists/oss-security/2014/08/26/1 • CWE-297: Improper Validation of Certificate with Host Mismatch CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-5075 – smack: MitM vulnerability
https://notcve.org/view.php?id=CVE-2014-5075
06 Aug 2014 — The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. La API Ignite Realtime Smack XMPP 4.x anterior a 4.0.2, y 3.x y 2.x cuando se utiliza un SSLContext personalizado, no verifica que el nombre del servidor coincide c... • http://op-co.de/CVE-2014-5075.html • CWE-310: Cryptographic Issues •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-6469
https://notcve.org/view.php?id=CVE-2013-6469
21 Apr 2014 — JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. NOTE: some of these details are obtained from third party information. JBoss Overlord Run Time Governance (RTGov) 1.0 para JBossAS permite a usuarios remotos autenticados ejecutar código Java arbitrario a través de una expresión MVFLEX Expression Language (MVEL). NOTA: algunos de estos datos se obtienen de información de terceras par... • http://secunia.com/advisories/57843 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0085 – Fuse: admin user cleartext password appears in logging
https://notcve.org/view.php?id=CVE-2014-0085
14 Apr 2014 — JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log. JBoss Fuse no habilitaba contraseñas cifradas por defecto en su uso de Apache Zookeeper. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2013-4372 – Console: Stored cross-site scripting (XSS)
https://notcve.org/view.php?id=CVE-2013-4372
26 Sep 2013 — Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page. Múltiples vulnerabilidades de XSS en Fuse Management Console en Red Hat JBoss Fuse 6.0.0 anterior al parche 3 y JBoss A-MQ 6.0.0 anterior al parche 3 permite a atacantes remotos inyectar script ... • http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git%3Ba=commitdiff%3Bh=f5436ea1c5547c851bb6f92561272fe42c146e68 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 8%CPEs: 26EXPL: 1CVE-2012-5575 – apache-cxf: XML encryption backwards compatibility attacks
https://notcve.org/view.php?id=CVE-2012-5575
20 May 2013 — Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." Apache CXF en versiones 2.5.x anteriores a la 2.5.10, 2.6.x anteriores a CXF 2.6.7 y 2.7.x ante... • https://github.com/tafamace/CVE-2012-5575 • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •