Ibm Websphere Application Server vulnerabilities

CVE-2015-1927 [MEDIUM] CWE-284 CVE-2015-1927: The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 bef The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 before 8.0.0.11, and 8.5 before 8.5.5.6 has a false value for the com.ibm.ws.webcontainer.disallowServeServletsByClassname WebContainer property, which allows remote attackers to obtain privileged access via unspecified vectors.

CVE-2015-1946 [MEDIUM] CWE-264 CVE-2015-1946: IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphere Virtual Enterprise 7.0 befo IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphere Virtual Enterprise 7.0 before 7.0.0.6 for WebSphere Application Server (WAS) 7.0 and 8.0, does not properly implement user roles, which allows local users to gain privileges via unspecified vectors.

CVE-2015-1920 [CRITICAL] CWE-284 CVE-2015-1920: IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.1 IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.5.5.6 allows remote attackers to execute arbitrary code by sending crafted instructions in a management-port session.

CVE-2015-1885 [CRITICAL] CWE-264 CVE-2015-1885: WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0 WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, 8.5 Liberty Profile before 8.5.5.5, and 8.5 Full Profile before 8.5.5.6, when the OAuth grant type requires sending a password, allows remote attackers to gain privileges via unspecified vectors.

CVE-2015-1882 [HIGH] CWE-362 CVE-2015-1882: Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5. Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 allow remote authenticated users to gain privileges by leveraging thread conflicts that result in Java code execution outside the context of the configured EJB Run-as user.

CVE-2015-0174 [MEDIUM] CWE-200 CVE-2015-0174: The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not proper The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175 [MEDIUM] CWE-264 CVE-2015-0175: IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implemen IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

CVE-2015-0106 [MEDIUM] CWE-79 CVE-2015-0106: Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2 Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6167 [MEDIUM] CWE-79 CVE-2014-6167: Cross-site scripting (XSS) vulnerability in the URL rewriting feature in IBM WebSphere Application S Cross-site scripting (XSS) vulnerability in the URL rewriting feature in IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.4 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6174 [MEDIUM] CWE-254 CVE-2014-6174: IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5. IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.4 allows remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6166 [MEDIUM] CVE-2014-6166: The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x befo The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4, and Feature Pack for CEA 1.x before 1.0.0.15, allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVE-2014-6164 [MEDIUM] CWE-200 CVE-2014-6164: IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4 allows remote attack IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4 allows remote attackers to spoof OpenID and OpenID Connect cookies, and consequently obtain sensitive information, via a crafted URL.

CVE-2014-8890 [MEDIUM] CWE-264 CVE-2014-8890: IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gai IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations.

CVE-2014-3021 [MEDIUM] CWE-20 CVE-2014-3021: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5. IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie and authentication data via an unspecified HTTP method.

CVE-2014-4816 [MEDIUM] CWE-352 CVE-2014-4816: Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Appli Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-4770 [LOW] CWE-79 CVE-2014-4770: Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.x through 6.1.0 Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated administrators to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-4758 [MEDIUM] CWE-264 CVE-2014-4758: IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x allow re IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x allow remote authenticated users to bypass intended access restrictions and send requests to internal services via a callService URL.

CVE-2014-3075 [LOW] CWE-79 CVE-2014-3075: Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 8.5.5 a Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.0.x allows remote authenticated users to inject arbitrary web script or HTML via an uploaded file.

CVE-2014-4764 [HIGH] CVE-2014-4764: IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3, when Load Bal IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3, when Load Balancer for IPv4 Dispatcher is enabled, allows remote attackers to cause a denial of service (Load Balancer crash) via unspecified vectors.

CVE-2014-4767 [MEDIUM] CWE-94 CVE-2014-4767: IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use th IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via unspecified vectors.