CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3650
https://notcve.org/view.php?id=CVE-2014-3650
Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input. Se encontraron múltiples fallos persistentes de tipo cross-site scripting (XSS) en la forma en que Aerogear manejaba determinado contenido suministrado por el usuario. Un atacante remoto podría usar estos fallos para comprometer la aplicación con entradas especialmente diseñadas • https://bugzilla.redhat.com/show_bug.cgi?id=1144212 https://issues.redhat.com/browse/AEROGEAR-5978 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3648
https://notcve.org/view.php?id=CVE-2014-3648
The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on. • https://issues.redhat.com/browse/AEROGEAR-6091 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3649
https://notcve.org/view.php?id=CVE-2014-3649
JBoss AeroGear has reflected XSS via the password field JBoss AeroGear presenta una vulnerabilidad de tipo XSS reflejado por medio del campo de contraseña. • https://access.redhat.com/security/cve/cve-2014-3649 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3649 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •