CVE-2012-6091
https://notcve.org/view.php?id=CVE-2012-6091
Zend_XmlRpc Class in Magento before 1.7.0.2 contains an information disclosure vulnerability. La función Class Zend_XmlRpc en Magento versión anterior a 1.7.0.2, contiene una vulnerabilidad de divulgación de información. • http://www.openwall.com/lists/oss-security/2013/01/03/10 http://www.securityfocus.com/bid/57140 https://exchange.xforce.ibmcloud.com/vulnerabilities/80973 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2011-5240
https://notcve.org/view.php?id=CVE-2011-5240
Magento 1.5 and 1.6.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Magento v1.5 y v1.6.2 no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario. • http://www.unrest.ca/peerjacking • CWE-20: Improper Input Validation •