1 results (0.010 seconds)

CVSS: 5.8EPSS: 0%CPEs: 14EXPL: 0

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. message/ax/AxMessage.java en OpenID4Java antes v0.9.6 final, tal y como se utiliza en JBoss Enterprise Application Platform v5.1 antes de v5.1.2, Step2, Kay Framework antes de la versión v1.0.2, y posiblemente otros productos no verifica que la información de intercambio de atributos (Attribute Exchange - AX) ha sido firmada, lo que permite a atacantes remotos modificar la información AX potencialmente sensible sin ser detectado a través de un ataque "Man-in-the-middle" (MITM). • http://openid.net/2011/05/05/attribute-exchange-security-alert http://rhn.redhat.com/errata/RHSA-2012-0441.html http://rhn.redhat.com/errata/RHSA-2012-0519.html http://secunia.com/advisories/44496 http://secunia.com/advisories/48697 http://secunia.com/advisories/48954 http://securitytracker.com/id?1026400 http://www.openwall.com/lists/oss-security/2011/11/16/1 http://www.openwall.com/lists/oss-security/2011/11/17/1 http://www.redhat.com/support/errata/RHSA-2 • CWE-20: Improper Input Validation •