CVSS: 7.5EPSS: 1%CPEs: 17EXPL: 0CVE-2011-1483 – JBossWS remote Denial of Service
https://notcve.org/view.php?id=CVE-2011-1483
25 Jul 2013 — wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via ... • http://source.jboss.org/changelog/JBossWS/?cs=13996 •
CVSS: 7.5EPSS: 34%CPEs: 99EXPL: 2CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
10 Jul 2013 — ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the c... • https://packetstorm.news/files/id/156663 • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 0CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)
https://notcve.org/view.php?id=CVE-2011-4085
23 Nov 2012 — The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1... • http://rhn.redhat.com/errata/RHSA-2011-1456.html • CWE-287: Improper Authentication •
CVSS: 8.0EPSS: 0%CPEs: 8EXPL: 0CVE-2011-2908 – CSRF on jmx-console allows invocation of operations on mbeans
https://notcve.org/view.php?id=CVE-2011-2908
23 Nov 2012 — Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en JMX Console (jmx-console) en JBoss Enterprise Portal... • http://rhn.redhat.com/errata/RHSA-2012-1152.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 28EXPL: 0CVE-2012-2377 – JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started
https://notcve.org/view.php?id=CVE-2012-2377
23 Nov 2012 — JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast. El servicio de diagnóstico JGroups en JBoss Enterprise Portal Platform anterior a v5.2.2, SOA Platform anterior a v5.3.0, y BRMS Platform anterior a v5.3.0, se activa sin necesidad de autentica... • http://rhn.redhat.com/errata/RHSA-2012-1028.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1167 – JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
https://notcve.org/view.php?id=CVE-2012-1167
23 Nov 2012 — The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. El JBoss Server en JBoss Enterp... • http://rhn.redhat.com/errata/RHSA-2012-1013.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 1%CPEs: 37EXPL: 0CVE-2011-2196 – JBoss Seam EL interpolation in exception handling
https://notcve.org/view.php?id=CVE-2011-2196
27 Jul 2011 — jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerab... • http://www.redhat.com/support/errata/RHSA-2011-0945.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 1%CPEs: 35EXPL: 0CVE-2011-1484 – JBoss Seam privilege escalation caused by EL interpolation in FacesMessages
https://notcve.org/view.php?id=CVE-2011-1484
27 Jul 2011 — jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. jboss-seam.jar en el framework JBoss Seam 2 2.2.x y versiones ant... • http://www.redhat.com/support/errata/RHSA-2011-0460.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2010-2474
https://notcve.org/view.php?id=CVE-2010-2474
09 Aug 2010 — JBoss Enterprise Service Bus (ESB) before 4.7 CP02 in JBoss Enterprise SOA Platform before 5.0.2 does not properly consider the security domain with which a service is secured, which might allow remote attackers to gain privileges by executing a service. JBoss Enterprise Service Bus (ESB) anterior a v4.7 CP02 en JBoss Enterprise SOA Platform anterior a v5.0.2 no considera apropiadamente el dominio de seguridad con el que un servicio está garantizado, lo que podría permitir a atacantes remotos ganar privileg... • http://secunia.com/advisories/40568 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0CVE-2010-2493
https://notcve.org/view.php?id=CVE-2010-2493
09 Aug 2010 — The default configuration of the deployment descriptor (aka web.xml) in picketlink-sts.war in (1) the security_saml quickstart, (2) the webservice_proxy_security quickstart, (3) the web-console application, (4) the http-invoker application, (5) the gpd-deployer application, (6) the jbpm-console application, (7) the contract application, and (8) the uddi-console application in JBoss Enterprise SOA Platform before 5.0.2 contains GET and POST http-method elements, which allows remote attackers to bypass intend... • http://secunia.com/advisories/40681 • CWE-16: Configuration •