Websphere Application Server
by IBM
CVEs (462)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2011-1307 | 0.00 | — | 0.00 | Mar 8, 2011 | The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173. | |||
| CVE-2008-7274 | 0.00 | — | 0.01 | Feb 15, 2011 | IBM WebSphere Application Server (WAS) 6.1.0.9, when the JAAS Login functionality is enabled, allows attackers to perform an internal application hashtable login by (1) not providing a password or (2) providing an empty password. | |||
| CVE-2011-0316 | 0.00 | — | 0.02 | Jan 12, 2011 | The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request. | |||
| CVE-2011-0315 | 0.00 | — | 0.02 | Jan 12, 2011 | Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an… | |||
| CVE-2010-4220 | 0.00 | — | 0.02 | Nov 9, 2010 | Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in… | |||
| CVE-2010-0786 | 0.00 | — | 0.02 | Nov 9, 2010 | The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request… | |||
| CVE-2010-0785 | 0.00 | — | 0.01 | Nov 9, 2010 | Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||
| CVE-2010-0784 | 0.00 | — | 0.01 | Nov 9, 2010 | Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2010-0783 | 0.00 | — | 0.02 | Nov 9, 2010 | Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2010-3700 | 0.00 | — | 0.02 | Oct 29, 2010 | VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. | |||
| CVE-2010-0781 | 0.00 | — | 0.02 | Sep 21, 2010 | Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL. | |||
| CVE-2010-3186 | 0.00 | — | 0.03 | Aug 30, 2010 | IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has… | |||
| CVE-2010-0779 | 0.00 | — | 0.01 | Jun 24, 2010 | Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2010-0778 | 0.00 | — | 0.01 | Jun 24, 2010 | Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2010-2328 | 0.00 | — | 0.01 | Jun 18, 2010 | The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression. | |||
| CVE-2010-2327 | 0.00 | — | 0.01 | Jun 18, 2010 | mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a… | |||
| CVE-2010-2326 | 0.00 | — | 0.01 | Jun 18, 2010 | IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file. | |||
| CVE-2010-2325 | 0.00 | — | 0.02 | Jun 18, 2010 | Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection." | |||
| CVE-2010-2324 | 0.00 | — | 0.01 | Jun 18, 2010 | IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors. | |||
| CVE-2010-2323 | 0.00 | — | 0.01 | Jun 18, 2010 | IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT. |
- CVE-2011-1307Mar 8, 2011risk 0.00cvss —epss 0.00
The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173.
- CVE-2008-7274Feb 15, 2011risk 0.00cvss —epss 0.01
IBM WebSphere Application Server (WAS) 6.1.0.9, when the JAAS Login functionality is enabled, allows attackers to perform an internal application hashtable login by (1) not providing a password or (2) providing an empty password.
- CVE-2011-0316Jan 12, 2011risk 0.00cvss —epss 0.02
The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request.
- CVE-2011-0315Jan 12, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an…
- CVE-2010-4220Nov 9, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in…
- CVE-2010-0786Nov 9, 2010risk 0.00cvss —epss 0.02
The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request…
- CVE-2010-0785Nov 9, 2010risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- CVE-2010-0784Nov 9, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2010-0783Nov 9, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2010-3700Oct 29, 2010risk 0.00cvss —epss 0.02
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.
- CVE-2010-0781Sep 21, 2010risk 0.00cvss —epss 0.02
Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL.
- CVE-2010-3186Aug 30, 2010risk 0.00cvss —epss 0.03
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has…
- CVE-2010-0779Jun 24, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2010-0778Jun 24, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2010-2328Jun 18, 2010risk 0.00cvss —epss 0.01
The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression.
- CVE-2010-2327Jun 18, 2010risk 0.00cvss —epss 0.01
mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a…
- CVE-2010-2326Jun 18, 2010risk 0.00cvss —epss 0.01
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file.
- CVE-2010-2325Jun 18, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."
- CVE-2010-2324Jun 18, 2010risk 0.00cvss —epss 0.01
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors.
- CVE-2010-2323Jun 18, 2010risk 0.00cvss —epss 0.01
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT.
Page 17 of 24