CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5422 – JON3: privilege escalation via improper authorization
https://notcve.org/view.php?id=CVE-2016-5422
31 Aug 2016 — The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request. La consola web en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.7 no autoriza adecuadamente peticiones para agregar usuarios con el rol de superusuario, lo que permite a usuarios remotos autenticados obtener privilegios de administrador a través de ... • http://rhn.redhat.com/errata/RHSA-2016-1785.html • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3737 – Red Hat Security Advisory 2016-1519-01
https://notcve.org/view.php?id=CVE-2016-3737
28 Jul 2016 — The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. El servidor en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.6 permite a atacantes remotos ejecutar código arbitrario a traves una petición HTTP manipulada, relacionado con deserialización de mensaje. Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control... • http://rhn.redhat.com/errata/RHSA-2016-1519.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3267 – JON: Cross Site scripting possible on the JBoss ON 404 error page
https://notcve.org/view.php?id=CVE-2015-3267
03 Aug 2015 — Cross-site scripting (XSS) vulnerability in the 404 error page in Red Hat JBoss Operations Network before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en la página de error 404 en Red Hat JBoss Operations Network en versiones anteriores a 3.3.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. It was discovered that a cross-site scripting (XSS) vulnerability on a JBoss Operation... • http://rhn.redhat.com/errata/RHSA-2015-1525.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2011-4573 – JON: Incorrect delete permissions check
https://notcve.org/view.php?id=CVE-2011-4573
01 Apr 2014 — Red Hat JBoss Operations Network (JON) before 2.4.2 does not properly enforce "modify resource" permissions for remote authenticated users when deleting a plug-in configuration update from the group connection properties history, which prevents such activities from being recorded in the audit trail. Red Hat JBoss Operations Network (JON) anterior a 2.4.2 no fuerza debidamente permisos de modificar recurso para usuarios remotos autenticados cuando elimina una actualización de configuración de plugin del hist... • http://rhn.redhat.com/errata/RHSA-2012-0089.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-0032 – CLI: world-writable root directory
https://notcve.org/view.php?id=CVE-2012-0032
01 Apr 2014 — Red Hat JBoss Operations Network (JON) before 3.0.1 uses 0777 permissions for the root directory when installing a remote client, which allows local users to read or modify subdirectories and files within the root directory, as demonstrated by obtaining JON credentials. Red Hat JBoss Operations Network (JON) anterior a 3.0.1 utiliza permisos 0777 para el directorio root cuando instala un cliente remoto, lo que permite a usuarios locales leer o modificar subdirectorios y archivos dentro del directorio root, ... • http://rhn.redhat.com/errata/RHSA-2012-0406.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2012-0052 – JON: Unapproved agents can connect using the name of an existing approved agent
https://notcve.org/view.php?id=CVE-2012-0052
14 Feb 2014 — Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 does not check the JON agent key, which allows remote attackers to spoof the identity of arbitrary agents via the registered agent name. Red Hat JBoss Operations Network (JON) anterior a 2.4.2 y 3.0.x anterior a 3.0.1 no comprueba la clave del agente JON, lo que permite a atacantes remotos falsificar la identidad de agentes arbitrarios a través del nombre del agente registrado. • http://rhn.redhat.com/errata/RHSA-2012-0089.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2012-0062 – JON: Unapproved agents can hijack an approved agent's endpoint by using a null security token
https://notcve.org/view.php?id=CVE-2012-0062
14 Feb 2014 — Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 allows remote attackers to hijack agent sessions via an agent registration request without a security token. Red Hat JBoss Operations Network (JON) anterior a 2.4.2 y 3.0.x anterior a 3.0.1 permite a atacantes remotos secuestrar sesiones de agente a través de una solicitud de registro de agente sin un token de seguridad. • http://rhn.redhat.com/errata/RHSA-2012-0089.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2012-1100 – JON: LDAP authentication allows any user access if bind credentials are bad
https://notcve.org/view.php?id=CVE-2012-1100
14 Feb 2014 — Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and earlier, when LDAP authentication is enabled and the LDAP bind account credentials are invalid, allows remote attackers to login to LDAP-based accounts via an arbitrary password in a login request. Red Hat JBoss Operations Network (JON) 3.0.x anterior a 3.0.1, 2.4.2 y anteriores, cuando la autenticación LDAP está habilitada y las credenciales de la cuenta LDAP bind no son válidos, permite a atacantes remotos iniciar una sesión en cuentas ... • http://rhn.redhat.com/errata/RHSA-2012-0396.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 34%CPEs: 99EXPL: 2CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
10 Jul 2013 — ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the c... • https://packetstorm.news/files/id/156663 • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0CVE-2011-3206 – JON: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2011-3206
08 Jan 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in RHQ 4.2.0, as used in JBoss Operations Network (aka JON or JBoss ON) before 3.0, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en la interfaz de administración de RHQ v4.2.0, tal y como se utiliza en JBoss Operations Network (también conocido como Jon o JBoss ON) antes de la versión v3.0, permite a atacantes ... • http://rhn.redhat.com/errata/RHSA-2012-0089.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •