CVSS: 4.0EPSS: 0%CPEs: 21EXPL: 0CVE-2014-4769
https://notcve.org/view.php?id=CVE-2014-4769
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. IBM WebSphere Commerce 6.x hasta 6.0.0.11 y 7.x hasta 7.0.0.8 permite a usuarios remotos autenticados leer ficheros arbitrarios o enviar solicitudes TCP a servidores de intranet a través de datos XML que contienen una declaración de entidad externa en conjunto con una referencia de entidad, relacionado con un problema de entidad externa XML (XXE). • http://www-01.ibm.com/support/docview.wss?uid=swg1JR49897 http://www-01.ibm.com/support/docview.wss?uid=swg1JR50553 http://www-01.ibm.com/support/docview.wss?uid=swg21685464 http://www.securityfocus.com/bid/70872 https://exchange.xforce.ibmcloud.com/vulnerabilities/94836 •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 0CVE-2014-4834
https://notcve.org/view.php?id=CVE-2014-4834
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. IBM WebSphere Commerce 6.x hasta 6.0.0.11 y 7.x hasta 7.0.0.8 no detecta debidamente la recursión durante la expansión de entidades, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria y CPU y caída de aplicación) a través de un documento XML manipulado que contiene un número grande de referencias de entidades anidadas, un problema similar a CVE-2003-1564. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR49897 http://www-01.ibm.com/support/docview.wss?uid=swg1JR50553 http://www-01.ibm.com/support/docview.wss?uid=swg21685464 http://www.securityfocus.com/bid/70870 https://exchange.xforce.ibmcloud.com/vulnerabilities/95628 •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2014-4808
https://notcve.org/view.php?id=CVE-2014-4808
Unspecified vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 allows remote authenticated users to execute arbitrary code via unknown vectors. Vulnerabilidad no especificada en IBM WebSphere Portal 6.1.0 hasta 6.1.0.6 CF27, 6.1.5 hasta 6.1.5.3 CF27, 7.0 hasta 7.0.0.2 CF28, 8.0 hasta 8.0.0.1 CF14, y 8.5.0 anterior a CF03 permite a usuarios remotos autenticados ejecutar código arbitrario a través de vectores desconocidos. • http://secunia.com/advisories/59740 http://www-01.ibm.com/support/docview.wss?uid=swg1PI25993 http://www-01.ibm.com/support/docview.wss?uid=swg21684651 http://www.securityfocus.com/bid/70757 https://exchange.xforce.ibmcloud.com/vulnerabilities/95375 •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-6125
https://notcve.org/view.php?id=CVE-2014-6125
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. Vulnerabilidad de CSRF en IBM WebSphere Portal 8.5.0 anterior a CF03 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para solicitudes que insertan secuencias de XSS. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI26889 http://www-01.ibm.com/support/docview.wss?uid=swg21684651 http://www.securityfocus.com/bid/70759 https://exchange.xforce.ibmcloud.com/vulnerabilities/96782 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-6126
https://notcve.org/view.php?id=CVE-2014-6126
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en IBM WebSphere Portal 8.5.0 anterior a CF03 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1PI26889 http://www-01.ibm.com/support/docview.wss?uid=swg21684651 http://www.securityfocus.com/bid/70756 https://exchange.xforce.ibmcloud.com/vulnerabilities/96783 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •