Rws
Products
3- 5 CVEs
- 2 CVEs
- 1 CVE
Recent CVEs
8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-34267 | Cri | 0.67 | 9.8 | 0.42 | Dec 25, 2023 | An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint. | ||
| CVE-2022-34270 | Cri | 0.64 | 9.8 | 0.01 | Feb 29, 2024 | An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager. | ||
| CVE-2022-34268 | Cri | 0.64 | 9.8 | 0.01 | Dec 25, 2023 | An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host. | ||
| CVE-2022-34269 | Hig | 0.57 | 8.8 | 0.02 | Feb 29, 2024 | An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution. | ||
| CVE-2024-43025 | Med | 0.40 | 6.1 | 0.00 | Sep 18, 2024 | An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail. | ||
| CVE-2024-43024 | Med | 0.40 | 6.1 | 0.00 | Sep 18, 2024 | Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||
| CVE-2023-38357 | Med | 0.38 | 5.3 | 0.03 | Aug 1, 2023 | Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions. | ||
| CVE-2005-4548 | 0.00 | — | 0.01 | Dec 28, 2005 | SQL injection vulnerability in the "user area" in RWS Statistics Counter before 2.4.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors. |
- risk 0.67cvss 9.8epss 0.42
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.
- risk 0.57cvss 8.8epss 0.02
An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution.
- risk 0.40cvss 6.1epss 0.00
An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail.
- risk 0.40cvss 6.1epss 0.00
Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload.
- risk 0.38cvss 5.3epss 0.03
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
- CVE-2005-4548Dec 28, 2005risk 0.00cvss —epss 0.01
SQL injection vulnerability in the "user area" in RWS Statistics Counter before 2.4.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors.