VYPR
Vendor

Rws

Products
3
CVEs
8
Across products
8
Status
Private

Products

3

Recent CVEs

8
  • CVE-2022-34267CriDec 25, 2023
    risk 0.67cvss 9.8epss 0.42

    An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint.

  • CVE-2022-34270CriFeb 29, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager.

  • CVE-2022-34268CriDec 25, 2023
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.

  • CVE-2022-34269HigFeb 29, 2024
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution.

  • CVE-2024-43025MedSep 18, 2024
    risk 0.40cvss 6.1epss 0.00

    An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail.

  • CVE-2024-43024MedSep 18, 2024
    risk 0.40cvss 6.1epss 0.00

    Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2023-38357MedAug 1, 2023
    risk 0.38cvss 5.3epss 0.03

    Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.

  • CVE-2005-4548Dec 28, 2005
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the "user area" in RWS Statistics Counter before 2.4.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors.