CVE-2016-1914 – BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1914
Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2) admin/client/image, (3) myapps/client/image, (4) ssam/client/image, or (5) all/client/image. Varias vulnerabilidades de inyección de SQL en el servlet com.rim.mdm.ui.server.ImageServlet en BlackBerry Enterprise Server 12 (BES12) Self-Service en versiones anteriores a 12.4 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro imageName a (1) mydevice/client/image, (2) admin/client/image, (3) myapps/client/image, (4) ssam/client/image, o (5) all/client/image. BlackBerry Enterprise Service 12 (BES12) Self-Service suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/39481 http://seclists.org/fulldisclosure/2016/Feb/95 http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf http://support.blackberry.com/kb/articleDetail?articleNumber=000038033 http://www.securitytracker.com/id/1035095 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2016-1915 – BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1915
Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/loggedOut.jsp. Varias vulnerabilidades de XSS en BlackBerry Enterprise Server 12 Self-Service en versiones anteriores a 12.4 permiten a los atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro local en mydevice/ndex.jsp o (2) mydevice /loggedOut.jsp. BlackBerry Enterprise Service 12 (BES12) Self-Service suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/39481 http://seclists.org/fulldisclosure/2016/Feb/95 http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf http://support.blackberry.com/kb/articleDetail?articleNumber=000038033 http://www.securitytracker.com/id/1035095 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1469
https://notcve.org/view.php?id=CVE-2014-1469
BlackBerry Enterprise Server 5.x before 5.0.4 MR7 and Enterprise Service 10.x before 10.2.2 log cleartext credentials during exception handling, which allows local users to obtain sensitive information by reading the exception log file. BlackBerry Enterprise Server 5.x anterior a 5.0.4 MR7 y Enterprise Service 10.x anterior a 10.2.2 registran las credenciales en texto plano durante el manejo de excepciones, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero del registro de excepciones. • http://secunia.com/advisories/60154 http://www.blackberry.com/btsc/KB36175 http://www.securityfocus.com/bid/69211 https://exchange.xforce.ibmcloud.com/vulnerabilities/95264 • CWE-310: Cryptographic Issues •
CVE-2014-1467
https://notcve.org/view.php?id=CVE-2014-1467
BlackBerry Enterprise Service 10 before 10.2.1, Universal Device Service 6, Enterprise Server Express for Domino through 5.0.4, Enterprise Server Express for Exchange through 5.0.4, Enterprise Server for Domino through 5.0.4 MR6, Enterprise Server for Exchange through 5.0.4 MR6, and Enterprise Server for GroupWise through 5.0.4 MR6 log cleartext credentials during exception handling, which might allow context-dependent attackers to obtain sensitive information by reading a log file. BlackBerry Enterprise Service 10 anterior a 10.2.1, Universal Device Service 6, Enterprise Server Express para Domino hasta 5.0.4, Enterprise Server Express for Exchange hasta 5.0.4, Enterprise Server para Domino hasta 5.0.4 MR6, Enterprise Server para Exchange hasta 5.0.4 MR6 y Enterprise Server para GroupWise hasta 5.0.4 MR6 registran credenciales en texto plano durante el manejo de excepciones, lo que podría permitir a atacantes dependientes de contexto obtener información sensible mediante la lectura de un archivo de registro. • http://www.blackberry.com/btsc/KB35647 • CWE-255: Credentials Management Errors •
CVE-2013-3693
https://notcve.org/view.php?id=CVE-2013-3693
The BlackBerry Universal Device Service in BlackBerry Enterprise Service (BES) 10.0 through 10.1.2 does not properly restrict access to the JBoss Remote Method Invocation (RMI) interface, which allows remote attackers to upload and execute arbitrary packages via a request to port 1098. El BlackBerry Universal Device Service en BlackBerry Enterprise Service (BES) 10.0 hasta 10.1.2 no restringe adecuadamente el interface JBoss Remote method Invocation (RMI), lo que permite a atacantes remotos subir y ejecutar paquetes de forma arbitraria a través de una petición a puerto 1098. • http://btsc.webapps.blackberry.com/btsc/viewdocument.do%3Bjsessionid=1C7CE6911426BCFAF2A80C3834F4DF0F?externalId=KB35139&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl http://secunia.com/advisories/55187 • CWE-264: Permissions, Privileges, and Access Controls •