CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-7041 – Workbench: Path traversal vulnerability
https://notcve.org/view.php?id=CVE-2016-7041
Drools Workbench contains a path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. Drools Workbench contiene una vulnerabilidad de salto de directorio. La vulnerabilidad permite que un atacante autenticado remoto omita las restricciones del directorio y recupere archivos arbitrarios desde el host afectado Drools Workbench contains the path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. • http://rhn.redhat.com/errata/RHSA-2016-2822.html http://rhn.redhat.com/errata/RHSA-2016-2823.html http://rhn.redhat.com/errata/RHSA-2016-2937.html http://rhn.redhat.com/errata/RHSA-2016-2938.html http://www.securityfocus.com/bid/94566 http://www.securitytracker.com/id/1037406 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7041 https://access.redhat.com/security/cve/CVE-2016-7041 https://bugzilla.redhat.com/show_bug.cgi?id=1375757 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 14EXPL: 0CVE-2016-4999 – Dashbuilder: SQL Injection on data set lookup filters
https://notcve.org/view.php?id=CVE-2016-4999
SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI. Vulnerabilidad de inyección SQL en el método getStringParameterSQL en main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java en Dashbuilder en versiones anteriores a 0.6.0.Beta1 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un filtro de búsqueda de conjunto de datos en (1) Data Set Authoring o (2) Displayer editor UI. A security flaw was found in the way Dashbuilder performed SQL datasets lookup requests in the Data Set Authoring UI or the Displayer editor UI. A remote attacker could use this flaw to conduct SQL injection attacks via specially-crafted string filter parameter. • http://www.securityfocus.com/bid/91795 https://access.redhat.com/errata/RHSA-2016:1428 https://access.redhat.com/errata/RHSA-2016:1429 https://bugzilla.redhat.com/show_bug.cgi?id=1349990 https://github.com/dashbuilder/dashbuilder/commit/8574899e3b6455547b534f570b2330ff772e524b https://issues.jboss.org/browse/DASHBUILDE-113 https://access.redhat.com/security/cve/CVE-2016-4999 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •