CVE-2018-2637 – OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998)
https://notcve.org/view.php?id=CVE-2018-2637
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102576 http://www.securitytracker.com/id/1040203 https://access.redhat.com/errata/RHSA-2018:0095 https://access.redhat.com/errata/RHSA-2018:0099 https://access.redhat.com/errata/RHSA-2018:0100 https://access.redhat.com/errata/RHSA-2018:0115 https://access.redhat.com/errata/RHSA-2018:0349 https://access.redhat.com/errata/RHSA-2018:0351 https://access.redhat.com/errata/ • CWE-502: Deserialization of Untrusted Data •
CVE-2017-7538 – 5: organization name allows XSS
https://notcve.org/view.php?id=CVE-2017-7538
A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users. Se ha detectado una vulnerabilidad Cross-Site Scripting (XSS) en la manera en la que se muestra un nombre de organización en Satellite 5 en versiones anteriores a la 5.8. Un usuario capaz de cambiar el nombre de una organización podría explotar esta vulnerabilidad para realizar ataques Cross-Site Scripting (XSS) contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5. • http://www.securitytracker.com/id/1039267 https://access.redhat.com/errata/RHSA-2017:2645 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7538 https://access.redhat.com/security/cve/CVE-2017-7538 https://bugzilla.redhat.com/show_bug.cgi?id=1471262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7514 – SAT 5 XSS in the Failed Systems page
https://notcve.org/view.php?id=CVE-2017-7514
A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. Se ha encontrado un fallo de Cross-Site Scripting (XSS) en la forma en la que la entrada de acción se procesa en Red Hat Satellite en versiones anteriores a la 5.8.0. Un usuario que pueda especificar una acción fallida podría explotar este fallo para realizar ataques XSS contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Satellite 5. • https://access.redhat.com/errata/RHSA-2017:1558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7514 https://access.redhat.com/security/cve/CVE-2017-7514 https://bugzilla.redhat.com/show_bug.cgi?id=1458052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7470 – spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks
https://notcve.org/view.php?id=CVE-2017-7470
It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py. Se ha encontrado que spacewalk-channel puede ser utilizado por un usuario no administrador o por usuarios deshabilitados para realizar tareas administrativas debido a una verificación de autorización incorrecta en backend/servidor/rhnChannel.py. • http://www.securityfocus.com/bid/98569 https://access.redhat.com/errata/RHSA-2017:1259 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7470 https://access.redhat.com/security/cve/CVE-2017-7470 https://bugzilla.redhat.com/show_bug.cgi?id=1439622 • CWE-863: Incorrect Authorization •
CVE-2016-3080 – spacewalk-monitoring: XSS issue in monitoring probe
https://notcve.org/view.php?id=CVE-2016-3080
Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via the (1) RHNMD User or (2) Filesystem parameters, related to display of monitoring probes. Vulnerabilidad de XSS en spacewalk-java en Red Hat Satellite 5.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) RHNMD User o (2) Filesystem, relacionado con la visualización de sondas de monitorización. A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed monitoring probes. An attacker can embed HTML and Javascript in the values for RHNMD User or Filesystem parameters in Satellite, allowing them to inject malicious content into the web page that is then displayed with that probe data. • http://rhn.redhat.com/errata/RHSA-2016-1484.html https://bugzilla.redhat.com/show_bug.cgi?id=1320942 https://access.redhat.com/security/cve/CVE-2016-3080 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •