CVE-2013-6447 – Seam: XML eXternal Entity (XXE) flaw in remoting
https://notcve.org/view.php?id=CVE-2013-6447
Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file. Múltiples vulnerabilidades de XXE en las clases (1) ExecutionHandler, (2) PollHandler, y (3) SubscriptionHandler en JBoss Seam Remoting de JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atancantes remotos leer archivos arbitrarios y posiblemente tener otros impactos a través de un archivo XML manipulado. • http://rhn.redhat.com/errata/RHSA-2014-0045.html http://secunia.com/advisories/56572 http://www.securitytracker.com/id/1029652 https://bugzilla.redhat.com/show_bug.cgi?id=1044784 https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5 https://access.redhat.com/security/cve/CVE-2013-6447 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2013-6448 – Seam: Information disclosure in remoting
https://notcve.org/view.php?id=CVE-2013-6448
The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors. El manejador InterfaceGenerator en JBoss Seam Remoting en JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atacantes remotos evadir la restricción de anotación de WebRemote y obtener información sobre clases y métodos arbitrarios en el servidor classpath a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0045.html http://secunia.com/advisories/56572 http://www.securitytracker.com/id/1029652 https://bugzilla.redhat.com/show_bug.cgi?id=1044794 https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5 https://access.redhat.com/security/cve/CVE-2013-6448 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •