CVSS: 6.1EPSS: 0%CPEs: 54EXPL: 0CVE-2017-1398
https://notcve.org/view.php?id=CVE-2017-1398
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 127385. IBM WebSphere Commerce Enterprise, Professional, Express y Developer versiones 6.0, 7.0 y 8.0, podrían permitir que un atacante remoto conducir ataques de phishing mediante un ataque de redireccionamiento abierto. • http://www.ibm.com/support/docview.wss?uid=swg22005360 http://www.securityfocus.com/bid/99491 https://exchange.xforce.ibmcloud.com/vulnerabilities/127385 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2016-6090
https://notcve.org/view.php?id=CVE-2016-6090
IBM WebSphere Commerce contains an unspecified vulnerability that could allow disclosure of user personal data, performing of unauthorized administrative operations, and potentially causing a denial of service. IBM WebSphere Commerce contiene una vulnerabilidad no especificada que podría permitir divulgación de datos personales del usuario, realizando operaciones administrativas no autorizadas y potencialmente provocar una denegación de servicio. • http://www.ibm.com/support/docview.wss?uid=swg21992759 http://www.securityfocus.com/bid/93873 http://www.securitytracker.com/id/1037091 •
CVSS: 6.1EPSS: 0%CPEs: 27EXPL: 0CVE-2016-2862
https://notcve.org/view.php?id=CVE-2016-2862
Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 before 7.0.0.9 cumulative iFix 3, and 8.0 before 8.0.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en IBM WebSphere Commerce 6.0 hasta la versión 6.0.0.11, 7.0 en versiones anteriores a 7.0.0.9 acumulable iFix 3 y 8.0 en versiones anteriores a 8.0.0.5 permite a atacantes remotos inyectar secuencia de comandos web o HTML arbitrarios a través de una URL manipulada. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR55049 http://www-01.ibm.com/support/docview.wss?uid=swg1JR55139 http://www-01.ibm.com/support/docview.wss?uid=swg1JR55141 http://www-01.ibm.com/support/docview.wss?uid=swg1JR55264 http://www-01.ibm.com/support/docview.wss? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 25EXPL: 0CVE-2016-0208
https://notcve.org/view.php?id=CVE-2016-0208
IBM WebSphere Commerce 6.x through 6.0.0.11, 7.x through 7.0.0.9, and 8.x before 8.0.0.3 allows remote attackers to cause a denial of service (order-processing outage) via unspecified vectors. IBM WebSphere Commerce 6.x hasta la versión 6.0.0.11, 7.x hasta la versión 7.0.0.9 y 8.x en versiones anteriores a 8.0.0.3 permite a atacantes remotos causar una denegación de servicio (interrupción de procesamiento de orden) a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR54988 http://www-01.ibm.com/support/docview.wss?uid=swg21975774 http://www.securitytracker.com/id/1035239 • CWE-284: Improper Access Control •
CVSS: 4.9EPSS: 0%CPEs: 22EXPL: 0CVE-2016-0225
https://notcve.org/view.php?id=CVE-2016-0225
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 allows remote authenticated Commerce Accelerator administrators to obtain sensitive information via unspecified vectors. IBM WebSphere Commerce 6.x hasta la versión 6.0.0.11 y 7.x hasta la versión 7.0.0.9 permite a administradores Commerce Accelerator remotos autenticados obtener información sensible a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR54585 http://www-01.ibm.com/support/docview.wss?uid=swg21976623 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •