CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2011-2941 – Platform: open URL redirect
https://notcve.org/view.php?id=CVE-2011-2941
26 Feb 2014 — Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the initialURI parameter. Vulnerabilidad de redirección abierta en Red Hat JBoss Enterprise Portal Platform anterior a 5.2.0 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL en el parámetro initialURI. • http://rhn.redhat.com/errata/RHSA-2011-1822.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2011-4580 – Platform: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2011-4580
26 Feb 2014 — Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en Red Hat JBoss Enterprise Portal Platform anterior a 5.2.0 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2011-1822.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2013-2102 – Gatein: JGroups configurations enable diagnostics without authentication
https://notcve.org/view.php?id=CVE-2013-2102
17 Oct 2013 — The default configuration of Red Hat JBoss Portal before 6.1.0 enables the JGroups diagnostics service with no authentication when a JGroups channel is started, which allows remote attackers to obtain sensitive information (diagnostics) by accessing the service. La configuración por defecto de Red Hat JBoss Portal anterior a la versión 6.1.0 habilita el servicio de diagnóstico JGroups sin autenticación cuando se inicia un canal JGroups, lo que permite a atacantes remotos obtener información sensible (diagnó... • http://rhn.redhat.com/errata/RHSA-2013-1437.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 2CVE-2013-2186 – commons-fileupload: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2186
16 Oct 2013 — The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance. La clase DiskFileItem en Apache Commons FileUpload, tal como se utiliza en Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2 y 6.0.0; y Red Hat JBoss Web Server 1.0.2 permite a atacantes remotos escribir en archivos arbitrarios a tr... • https://github.com/GrrrDog/ACEDcup • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 1%CPEs: 17EXPL: 0CVE-2011-1483 – JBossWS remote Denial of Service
https://notcve.org/view.php?id=CVE-2011-1483
25 Jul 2013 — wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via ... • http://source.jboss.org/changelog/JBossWS/?cs=13996 •
CVSS: 7.5EPSS: 3%CPEs: 99EXPL: 2CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
10 Jul 2013 — ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the c... • https://packetstorm.news/files/id/156663 • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4572 – JBoss: custom authorization module implementations shared between applications
https://notcve.org/view.php?id=CVE-2012-4572
20 May 2013 — Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. Red Hat JBoss Enterprise Application Platform (EAP) antes de 6.1.0 y JBoss Portal anteriores a 6.1.0 no carga la implementación de un módulo de ... • http://rhn.redhat.com/errata/RHSA-2013-0833.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 1CVE-2012-5575 – apache-cxf: XML encryption backwards compatibility attacks
https://notcve.org/view.php?id=CVE-2012-5575
20 May 2013 — Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." Apache CXF en versiones 2.5.x anteriores a la 2.5.10, 2.6.x anteriores a CXF 2.6.7 y 2.7.x ante... • https://github.com/tafamace/CVE-2012-5575 • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2012-3532 – Portal: Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-3532
12 Apr 2013 — Cross-site request forgery (CSRF) vulnerability in the GateIn Portal component in JBoss Enterprise Portal Platform 5.2.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Una vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el componente Portal GateIn en JBoss Enterprise Portal Platform v5.2.2 y anteriores permite a atacantes remotos secuestrar la autenticación de víctimas no especificadas a través de vectores desconocidos. • http://rhn.redhat.com/errata/RHSA-2013-0733.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 2%CPEs: 26EXPL: 0CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)
https://notcve.org/view.php?id=CVE-2011-4085
23 Nov 2012 — The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1... • http://rhn.redhat.com/errata/RHSA-2011-1456.html • CWE-287: Improper Authentication •