Ibm Websphere Application Server vulnerabilities

CVE-2011-1376 [MEDIUM] CWE-264 CVE-2011-1376: iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8. iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 on the IBM i platform sets weak permissions under systemapps/isclite.ear/ and bin/client_ffdc/, which allows local users to read or modify files via standard filesystem operations.

CVE-2011-1377 [CRITICAL] CVE-2011-1377: The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphe The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphere Application Server (WAS) 6.1 does not properly handle the enabling of WS-Security for a JAX-WS application, which has unspecified impact and attack vectors.

CVE-2011-1362 [MEDIUM] CVE-2011-1362: Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 and 7.0 before 7.0.0.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for C

CVE-2011-5065 [MEDIUM] CWE-79 CVE-2011-5065: Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0. Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 allows remote attackers to inject arbitrary web script or HTML via vectors related to web messaging.

CVE-2011-5066 [LOW] CWE-200 CVE-2011-5066: The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Applicati The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log

CVE-2009-2748 [MEDIUM] CWE-79 CVE-2009-2748: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.29 and 7.1 before 7.0.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2009-2747 [MEDIUM] CWE-264 CVE-2009-2747: The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (W The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call.

CVE-2011-1368 [MEDIUM] CWE-200 CVE-2011-1368: The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors.

CVE-2011-1359 [MEDIUM] CWE-22 CVE-2011-1359: Directory traversal vulnerability in the administration console in IBM WebSphere Application Server Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.

CVE-2011-1355 [MEDIUM] CWE-20 CVE-2011-1355: Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 be Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage parameter.

CVE-2011-1356 [LOW] CWE-200 CVE-2011-1356: IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local user IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local users to obtain sensitive stack-trace information via a crafted Administration Console request.

CVE-2010-3271 [MEDIUM] CWE-352 CVE-2010-3271: Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDet

CVE-2011-1209 [MEDIUM] CWE-310 CVE-2011-1209: IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.17 uses a weak WS-Se IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.17 uses a weak WS-Security XML encryption algorithm, which makes it easier for remote attackers to obtain plaintext data from a (1) JAX-RPC or (2) JAX-WS Web Services request via unspecified vectors related to a "decryption attack."

CVE-2011-1683 [MEDIUM] CWE-264 CVE-2011-1683: IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x befo IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x before 7.0.0.17 on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used, allows remote attackers to obtain unspecified application access via unknown vectors.

CVE-2011-1309 [HIGH] CWE-20 CVE-2011-1309: The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly ha The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has unspecified impact and attack vectors.

CVE-2011-1320 [MEDIUM] CWE-20 CVE-2011-1320: The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x bef The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15, when the Tivoli Integrated Portal / embedded WebSphere Application Server (TIP/eWAS) framework is used, does not properly delete AuthCache entries upon a logout, which might allow remote attackers to access the server by leveraging an unatt

CVE-2011-1316 [MEDIUM] CWE-399 CVE-2011-1316: The Session Initiation Protocol (SIP) Proxy in the HTTP Transport component in IBM WebSphere Applica The Session Initiation Protocol (SIP) Proxy in the HTTP Transport component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (worker thread exhaustion and UDP messaging outage) by sending many UDP messages.

CVE-2011-1312 [MEDIUM] CWE-264 CVE-2011-1312: The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0. The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.31 and 7.x before 7.0.0.15 does not prevent modifications of the primary admin id, which allows remote authenticated administrators to bypass intended access restrictions by mapping a (1) user or (2) group to an administrator role.

CVE-2011-1313 [MEDIUM] CWE-399 CVE-2011-1313: Double free vulnerability in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x Double free vulnerability in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15 allows remote backend IIOP servers to cause a denial of service (S0C4 ABEND and storage corruption) by rejecting IIOP requests at opportunistic time instants, as demonstrated by requests associated with an ORB_Request::getACRWorkElementPt

CVE-2011-1314 [MEDIUM] CWE-399 CVE-2011-1314: The Service Integration Bus (SIB) messaging engine in IBM WebSphere Application Server (WAS) before The Service Integration Bus (SIB) messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (daemon hang) by performing close operations via network connections to a queue manager.