CVE-2023-4501 – Authentication bypass in OpenText (Micro Focus) Enterprise Server
https://notcve.org/view.php?id=CVE-2023-4501
User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user. Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon. Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password. • https://portal.microfocus.com/s/article/KM000021287 • CWE-253: Incorrect Check of Function Return Value CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness CWE-358: Improperly Implemented Security Check for Standard •
CVE-2016-1917
https://notcve.org/view.php?id=CVE-2016-1917
Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1918. Vulnerabilidad de XSS en la Management Console en BlackBerry Enterprise Server (BES) 12 en versiones anteriores a 12.4.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada, una vulnerabilidad diferente a CVE-2016-1918. • http://www.blackberry.com/btsc/KB38118 http://www.securitytracker.com/id/1035568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-1916
https://notcve.org/view.php?id=CVE-2016-1916
Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote authenticated users to inject arbitrary web script or HTML by leveraging basic administrative access to create a crafted policy, leading to improper rendering on a certain Export IT screen. Vulnerabilidad de XSS en la Management Console en BlackBerry Enterprise Server (BES) 12 en versiones anteriores a 12.4.1 permite a usuarios autenticados remotos inyectar secuencias de comandos web o HTML arbitrarios aprovechando acceso administrativo básico para crear una política manipulada, dando lugar al renderizado incorrecto en una determinada pantalla Export IT. • http://www.blackberry.com/btsc/KB38117 http://www.securitytracker.com/id/1035568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-3126
https://notcve.org/view.php?id=CVE-2016-3126
Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en la Management Console en BlackBerry Enterprise Server (BES) 12 en versiones anteriores a 12.4.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. • http://www.blackberry.com/btsc/KB38119 http://www.securitytracker.com/id/1035568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-1918
https://notcve.org/view.php?id=CVE-2016-1918
Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1917. Vulnerabilidad de XSS en la Management Console en BlackBerry Enterprise Server (BES) 12 en versiones anteriores a 12.4.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada, una vulnerabilidad diferente a CVE-2016-1917. • http://www.blackberry.com/btsc/KB38118 http://www.securitytracker.com/id/1035568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •