Ibm Websphere Application Server vulnerabilities
451 known vulnerabilities affecting ibm/websphere_application_server.
Total CVEs
451
CISA KEV
1
actively exploited
Public exploits
13
Exploited in wild
2
Severity breakdown
CRITICAL53HIGH95MEDIUM263LOW40
Vulnerabilities
Page 10 of 23
CVE-2016-0306MEDIUMCVSS 5.9v7.0.0.0v7.0.0.1+47 more2016-05-17
CVE-2016-0306 [MEDIUM] CWE-200 CVE-2016-0306: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.5.10, when FIPS 140-2 is enabled, misconfigures TLS, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
nvd
CVE-2016-0283MEDIUMCVSS 6.1v8.5.5.0v8.5.5.1+7 more2016-03-19
CVE-2016-0283 [MEDIUM] CWE-79 CVE-2016-0283: Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM
Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM WebSphere Application Server (WAS) Liberty Profile 8.5.5 before 8.5.5.9 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
nvd
CVE-2015-7417MEDIUMCVSS 5.4v7.0.0.0v7.0.0.1+45 more2016-01-23
CVE-2015-7417 [MEDIUM] CWE-79 CVE-2015-7417: Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 7.0 before 7.0.0.41, 8.
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 7.0 before 7.0.0.41, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.9 allows remote authenticated users to inject arbitrary web script or HTML via crafted data from an OAuth provider.
nvd
CVE-2015-7450CRITICALCVSS 9.8KEVPoCv7.0.0.0v8.0.0.0+3 more2016-01-02
CVE-2015-7450 [CRITICAL] CWE-502 CVE-2015-7450: Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastruct
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
nvd
CVE-2015-5004MEDIUMCVSS 4.0v8.0.0.0v8.0.0.1+21 more2015-12-15
CVE-2015-5004 [MEDIUM] CWE-200 CVE-2015-5004: The Edge Component Caching Proxy in IBM WebSphere Application Server (WAS) 8.0 before 8.0.0.12 and 8
The Edge Component Caching Proxy in IBM WebSphere Application Server (WAS) 8.0 before 8.0.0.12 and 8.5 before 8.5.5.8 does not properly encrypt data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
nvd
CVE-2015-2017MEDIUMCVSS 4.3v6.1v6.1.0+82 more2015-11-08
CVE-2015-2017 [MEDIUM] CVE-2015-2017: CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 bef
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
nvd
CVE-2015-4938MEDIUMCVSS 5.0v7.0.0.1v7.0.0.2+52 more2015-08-22
CVE-2015-4938 [MEDIUM] CVE-2015-4938: IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.
IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 allows remote attackers to spoof servlets and obtain sensitive information via unspecified vectors.
nvd
CVE-2015-1932MEDIUMCVSS 5.0v7.0.0.1v7.0.0.2+52 more2015-08-22
CVE-2015-1932 [MEDIUM] CWE-200 CVE-2015-1932: IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.
IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 and WebSphere Virtual Enterprise before 7.0.0.7 allow remote attackers to obtain potentially sensitive information about the proxy-server software by reading the HTTP Via header.
nvd
CVE-2015-1936MEDIUMCVSS 6.0v8.0.0.0v8.0.0.1+18 more2015-07-14
CVE-2015-1936 [MEDIUM] CWE-284 CVE-2015-1936: The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 b
The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security feature is disabled, allows remote authenticated users to hijack sessions via the JSESSIONID parameter.
nvd
CVE-2015-1927MEDIUMCVSS 6.8v7.0v7.0.0.1+52 more2015-07-14
CVE-2015-1927 [MEDIUM] CWE-284 CVE-2015-1927: The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 bef
The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 before 8.0.0.11, and 8.5 before 8.5.5.6 has a false value for the com.ibm.ws.webcontainer.disallowServeServletsByClassname WebContainer property, which allows remote attackers to obtain privileged access via unspecified vectors.
nvd
CVE-2015-1946MEDIUMCVSS 4.4v7.0v8.0.0.0+9 more2015-07-14
CVE-2015-1946 [MEDIUM] CWE-264 CVE-2015-1946: IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphere Virtual Enterprise 7.0 befo
IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphere Virtual Enterprise 7.0 before 7.0.0.6 for WebSphere Application Server (WAS) 7.0 and 8.0, does not properly implement user roles, which allows local users to gain privileges via unspecified vectors.
nvd
CVE-2015-1920CRITICALCVSS 10.0v6.1v6.1.0+76 more2015-05-20
CVE-2015-1920 [CRITICAL] CWE-284 CVE-2015-1920: IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.1
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.5.5.6 allows remote attackers to execute arbitrary code by sending crafted instructions in a management-port session.
nvd
CVE-2015-1885CRITICALCVSS 9.3v7.0v7.0.0.1+35 more2015-04-27
CVE-2015-1885 [CRITICAL] CWE-264 CVE-2015-1885: WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0
WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, 8.5 Liberty Profile before 8.5.5.5, and 8.5 Full Profile before 8.5.5.6, when the OAuth grant type requires sending a password, allows remote attackers to gain privileges via unspecified vectors.
nvd
CVE-2015-1882HIGHCVSS 8.5v8.5.0.0v8.5.0.1+6 more2015-04-27
CVE-2015-1882 [HIGH] CWE-362 CVE-2015-1882: Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.
Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 allow remote authenticated users to gain privileges by leveraging thread conflicts that result in Java code execution outside the context of the configured EJB Run-as user.
nvd
CVE-2015-0174MEDIUMCVSS 4.0v8.5.0.0v8.5.0.1+6 more2015-04-27
CVE-2015-0174 [MEDIUM] CWE-200 CVE-2015-0174: The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not proper
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
nvd
CVE-2015-0175MEDIUMCVSS 5.5v8.5.0.0v8.5.0.1+6 more2015-04-27
CVE-2015-0175 [MEDIUM] CWE-264 CVE-2015-0175: IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implemen
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.
nvd
CVE-2015-0106MEDIUMCVSS 4.3v7.1v7.2+5 more2015-03-24
CVE-2015-0106 [MEDIUM] CWE-79 CVE-2015-0106: Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
nvd
CVE-2014-6167MEDIUMCVSS 4.3v7.0.0.1v7.0.0.2+46 more2014-12-18
CVE-2014-6167 [MEDIUM] CWE-79 CVE-2014-6167: Cross-site scripting (XSS) vulnerability in the URL rewriting feature in IBM WebSphere Application S
Cross-site scripting (XSS) vulnerability in the URL rewriting feature in IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.4 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
nvd
CVE-2014-6174MEDIUMCVSS 4.3v7.0.0.1v7.0.0.2+46 more2014-12-18
CVE-2014-6174 [MEDIUM] CWE-254 CVE-2014-6174: IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.
IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.4 allows remote attackers to conduct clickjacking attacks via a crafted web site.
nvd
CVE-2014-6166MEDIUMCVSS 4.3v8.0.0.0v8.0.0.1+15 more2014-12-18
CVE-2014-6166 [MEDIUM] CVE-2014-6166: The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x befo
The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4, and Feature Pack for CEA 1.x before 1.0.0.15, allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
nvd