CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-1094
https://notcve.org/view.php?id=CVE-2012-1094
JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed. JBoss AS versiones 7 anteriores a la versión 7.1.1 y mod_cluster no manejan el nombre de host predeterminado de la misma manera, lo que puede causar que la lista de contextos excluidos sea contrastada inapropiadamente y que el contexto root sea expuesto. • https://access.redhat.com/security/cve/cve-2012-1094 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2011-3609
https://notcve.org/view.php?id=CVE-2011-3609
A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. Se encontró un problema CSRF en JBoss Application Server 7 versiones anteriores a 7.1.0. JBoss no restringió apropiadamente el acceso a la información de la consola de administración (por ejemplo, por medio del flag de control de acceso HTTP "Access-Control-Allow-Origin"). • https://access.redhat.com/security/cve/cve-2011-3609 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609 https://security-tracker.debian.org/tracker/CVE-2011-3609 https://www.securityfocus.com/bid/50888 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0CVE-2011-3606
https://notcve.org/view.php?id=CVE-2011-3606
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution. Se encontró un fallo de tipo cross-site scripting basado en DOM en la consola de administración de JBoss Application Server 7 versiones anteriores 7.1.0 Beta 1. Un atacante remoto podría proveer una página web especialmente diseñada y engañar al usuario AS de JBoss válido, con el privilegio de administrador, para visitarla, lo que conllevaría a la modificación del entorno DOM y a una ejecución de un script web o HTML arbitrario. • https://access.redhat.com/security/cve/cve-2011-3606 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606 https://security-tracker.debian.org/tracker/CVE-2011-3606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4529 – Web: jsessionid exposed via encoded url when using cookie based session tracking
https://notcve.org/view.php?id=CVE-2012-4529
The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log. El método org.apache.catalina.connector.Response.encodeURL en Red Hat JBoss Web 7.1.x y anteriores, cuando el modo de traceo está fijado a COOKIE, envia el parámetro jsessionid en la URL de la primera respuesta de una sesion, lo que permite a atacantes remotos obtener el id de sesion a treves de un ataque man-in-the-middle o leyendo un log • http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request http://rhn.redhat.com/errata/RHSA-2013-0833.html http://rhn.redhat.com/errata/RHSA-2013-0834.html http://rhn.redhat.com/errata/RHSA-2013-0839.html http://rhn.redhat.com/errata/RHSA-2013-1437.html https://issues.jboss.org/browse/JBWEB-249 https://access.redhat.com/security/cve/CVE-2012-4529 https://bugzilla.redhat.com/show_bug.cgi?id=868202 •