Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Filtered by product Jboss Aerogear
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-3650 1 Redhat 1 Jboss Aerogear 2024-11-21 3.5 LOW 5.4 MEDIUM
Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input.
CVE-2014-3649 1 Redhat 1 Jboss Aerogear 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
JBoss AeroGear has reflected XSS via the password field
CVE-2014-3648 1 Redhat 1 Jboss Aerogear 2024-11-21 5.0 MEDIUM 7.5 HIGH
The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on.