Total
421 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2009-2090 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.0 MEDIUM | N/A |
Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 allows remote attackers to bypass intended Java Management Extensions (JMX) Management Beans (aka MBeans) access restrictions, and cause a denial of service (daemon stop), via unknown vectors. | |||||
CVE-2009-2089 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 2.1 LOW | N/A |
The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when tracing is enabled and a 6.1 to 7.0 migration has occurred, allows remote authenticated users to obtain sensitive information by reading a Migration Trace file. | |||||
CVE-2009-2088 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 7.5 HIGH | N/A |
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property. | |||||
CVE-2009-2087 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 2.1 LOW | N/A |
The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, in certain circumstances involving the ibm-webservicesclient-bind.xmi file and custom password encryption, uses weak password obfuscation, which allows local users to cause a denial of service (deployment failure) via unspecified vectors. | |||||
CVE-2009-2085 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 7.5 HIGH | N/A |
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB). | |||||
CVE-2009-1901 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 10.0 HIGH | N/A |
The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has unknown impact and remote attack vectors. | |||||
CVE-2009-1900 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.0 MEDIUM | N/A |
The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool. | |||||
CVE-2009-1899 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 10.0 HIGH | N/A |
Unspecified vulnerability in the Administrative Configservice API in the System Management/Repository component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5 on z/OS allows remote authenticated users to obtain sensitive information via unknown use of the wsadmin scripting tool, related to a "security exposure in wsadmin." | |||||
CVE-2009-1898 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.0 MEDIUM | N/A |
The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. | |||||
CVE-2009-1174 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 10.0 HIGH | N/A |
The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 and 7.0 before 7.0.0.3 has an unspecified "security problem" in the XML digital-signature specification, which has unknown impact and attack vectors. | |||||
CVE-2009-1173 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 2.1 LOW | N/A |
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used. | |||||
CVE-2009-1172 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 10.0 HIGH | N/A |
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors. | |||||
CVE-2009-0906 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.5 MEDIUM | N/A |
The Service Component Architecture (SCA) feature pack for IBM WebSphere Application Server (WAS) SCA 1.0 before 1.0.0.3 allows remote authenticated users to bypass intended authentication.transport access restrictions and obtain unspecified access via unknown vectors. | |||||
CVE-2009-0904 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.4 MEDIUM | N/A |
The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests. | |||||
CVE-2009-0903 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 7.5 HIGH | N/A |
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted request to a JAX-WS application. | |||||
CVE-2009-0899 | 1 Ibm | 3 Integrated Solutions Console, Websphere Application Server, Websphere Portal | 2024-11-21 | 4.3 MEDIUM | N/A |
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which allows attackers to obtain sensitive information from repositories via unspecified vectors. | |||||
CVE-2009-0892 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.5 MEDIUM | N/A |
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout. | |||||
CVE-2009-0891 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.5 MEDIUM | N/A |
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. | |||||
CVE-2009-0856 | 1 Ibm | 2 Websphere Application Server, Z\/os | 2024-11-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2009-0855 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |