CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 0CVE-2017-3894
https://notcve.org/view.php?id=CVE-2017-3894
A stored cross site scripting vulnerability in the Management Console of BlackBerry Unified Endpoint Manager version 12.6.1 and earlier, and all versions of BES12, allows attackers to execute actions in the context of a Management Console administrator by uploading a malicious script and then persuading a target administrator to view the specific location of the malicious script within the Management Console. Una vulnerabilidad de tipo cross-site scripting almacenado en la Consola de Administración de BlackBerry Unified Endpoint Manager versión 12.6.1 y anteriores, y todas las versiones de BES12, permite a los atacantes ejecutar acciones en el contexto de un administrador de la Consola de Administración mediante la carga de un script malicioso y luego persuadiendo a un administrador destino para visualizar la ubicación específica del script malicioso dentro de la Consola de Administración. • http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000044565 http://www.securityfocus.com/bid/98552 http://www.securitytracker.com/id/1038465 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2016-3130
https://notcve.org/view.php?id=CVE-2016-3130
An information disclosure vulnerability in the Core and Management Console in BlackBerry Enterprise Server (BES) 12 through 12.5.2 allows remote attackers to obtain local or domain credentials of an administrator or user account by sniffing traffic between the two elements during a login attempt. Una vulnerabilidad de divulgación de información en el Core y Management Console en BlackBerry Enterprise Server (BES) 12 hasta la versión 12.5.2 permite a atacantes remotos obtener credenciales locales o de dominio de una cuenta de administrador o usuario espiando el tráfico entre los dos elementos durante un intento de inicio de sesión. • http://support.blackberry.com/kb/articleDetail?articleNumber=000038914 http://www.securityfocus.com/bid/95924 http://www.securitytracker.com/id/1037584 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-255: Credentials Management Errors •
CVSS: 8.2EPSS: 0%CPEs: 12EXPL: 0CVE-2016-3128
https://notcve.org/view.php?id=CVE-2016-3128
A spoofing vulnerability in the Core of BlackBerry Enterprise Server (BES) 12 through 12.5.2 allows remote attackers to enroll an illegitimate device to the BES, gain access to device parameters for the BES, or send false information to the BES by gaining access to specific information about a device that was legitimately enrolled on the BES. Una vulnerabilidad de suplantación en el Core de BlackBerry Enterprise Server (BES) 12 hasta la versión 12.5.2 permite a atacantes remotos registrar un dispositivo ilegítimo al BES, acceder a los parámetros del dispositivo para el BES o enviar información falsa al BES accediendo a Información específica sobre un dispositivo que se inscribió legítimamente en el BES. • http://support.blackberry.com/kb/articleDetail?articleNumber=000038913 http://www.securityfocus.com/bid/95624 http://www.securitytracker.com/id/1037585 • CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-1914 – BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1914
Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2) admin/client/image, (3) myapps/client/image, (4) ssam/client/image, or (5) all/client/image. Varias vulnerabilidades de inyección de SQL en el servlet com.rim.mdm.ui.server.ImageServlet en BlackBerry Enterprise Server 12 (BES12) Self-Service en versiones anteriores a 12.4 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro imageName a (1) mydevice/client/image, (2) admin/client/image, (3) myapps/client/image, (4) ssam/client/image, o (5) all/client/image. BlackBerry Enterprise Service 12 (BES12) Self-Service suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/39481 http://seclists.org/fulldisclosure/2016/Feb/95 http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf http://support.blackberry.com/kb/articleDetail?articleNumber=000038033 http://www.securitytracker.com/id/1035095 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-1915 – BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1915
Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/loggedOut.jsp. Varias vulnerabilidades de XSS en BlackBerry Enterprise Server 12 Self-Service en versiones anteriores a 12.4 permiten a los atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro local en mydevice/ndex.jsp o (2) mydevice /loggedOut.jsp. BlackBerry Enterprise Service 12 (BES12) Self-Service suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/39481 http://seclists.org/fulldisclosure/2016/Feb/95 http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf http://support.blackberry.com/kb/articleDetail?articleNumber=000038033 http://www.securitytracker.com/id/1035095 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •