CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2014-3518 – 5: Remote code execution via unauthenticated JMX/RMI connector
https://notcve.org/view.php?id=CVE-2014-3518
16 Jul 2014 — jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors. jmx-remoting.sar en JBoss Remoting, utilizado en Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2... • http://rhn.redhat.com/errata/RHSA-2014-0887.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2013-2102 – Gatein: JGroups configurations enable diagnostics without authentication
https://notcve.org/view.php?id=CVE-2013-2102
17 Oct 2013 — The default configuration of Red Hat JBoss Portal before 6.1.0 enables the JGroups diagnostics service with no authentication when a JGroups channel is started, which allows remote attackers to obtain sensitive information (diagnostics) by accessing the service. La configuración por defecto de Red Hat JBoss Portal anterior a la versión 6.1.0 habilita el servicio de diagnóstico JGroups sin autenticación cuando se inicia un canal JGroups, lo que permite a atacantes remotos obtener información sensible (diagnó... • http://rhn.redhat.com/errata/RHSA-2013-1437.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 91%CPEs: 7EXPL: 2CVE-2013-2186 – commons-fileupload: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2186
16 Oct 2013 — The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance. La clase DiskFileItem en Apache Commons FileUpload, tal como se utiliza en Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2 y 6.0.0; y Red Hat JBoss Web Server 1.0.2 permite a atacantes remotos escribir en archivos arbitrarios a tr... • https://github.com/GrrrDog/ACEDcup • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 34%CPEs: 99EXPL: 2CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
10 Jul 2013 — ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the c... • https://packetstorm.news/files/id/156663 • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4572 – JBoss: custom authorization module implementations shared between applications
https://notcve.org/view.php?id=CVE-2012-4572
20 May 2013 — Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. Red Hat JBoss Enterprise Application Platform (EAP) antes de 6.1.0 y JBoss Portal anteriores a 6.1.0 no carga la implementación de un módulo de ... • http://rhn.redhat.com/errata/RHSA-2013-0833.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 8%CPEs: 26EXPL: 1CVE-2012-5575 – apache-cxf: XML encryption backwards compatibility attacks
https://notcve.org/view.php?id=CVE-2012-5575
20 May 2013 — Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." Apache CXF en versiones 2.5.x anteriores a la 2.5.10, 2.6.x anteriores a CXF 2.6.7 y 2.7.x ante... • https://github.com/tafamace/CVE-2012-5575 • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2012-3532 – Portal: Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-3532
12 Apr 2013 — Cross-site request forgery (CSRF) vulnerability in the GateIn Portal component in JBoss Enterprise Portal Platform 5.2.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Una vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el componente Portal GateIn en JBoss Enterprise Portal Platform v5.2.2 y anteriores permite a atacantes remotos secuestrar la autenticación de víctimas no especificadas a través de vectores desconocidos. • http://rhn.redhat.com/errata/RHSA-2013-0733.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 0%CPEs: 8EXPL: 0CVE-2011-2908 – CSRF on jmx-console allows invocation of operations on mbeans
https://notcve.org/view.php?id=CVE-2011-2908
23 Nov 2012 — Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en JMX Console (jmx-console) en JBoss Enterprise Portal... • http://rhn.redhat.com/errata/RHSA-2012-1152.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 2%CPEs: 9EXPL: 0CVE-2011-4605 – JNDI: unauthenticated remote write access is permitted by default
https://notcve.org/view.php?id=CVE-2011-4605
23 Nov 2012 — The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors. El (1) servicio JNDI, (2) servicio HA-JNDI, y (3) servlet HAJNDIFactory en JBoss Enterp... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469 • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •