Ibm Websphere Application Server vulnerabilities

CVE-2012-2190 [MEDIUM] CWE-310 CVE-2012-2190: IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1, allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.

CVE-2012-3293 [MEDIUM] CWE-79 CVE-2012-3293: Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving FRAME elements, related to a cross-frame scripting (XFS) issue.

CVE-2012-0720 [MEDIUM] CWE-79 CVE-2012-0720: Cross-site scripting (XSS) vulnerability in the Integration Solution Console in the Administration C Cross-site scripting (XSS) vulnerability in the Integration Solution Console in the Administration Console in IBM WebSphere Application Server 7.0 before 7.0.0.23 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2012-2170 [MEDIUM] CWE-264 CVE-2012-2170: The Application Snoop Servlet in IBM WebSphere Application Server 7.0 before 7.0.0.23 does not prope The Application Snoop Servlet in IBM WebSphere Application Server 7.0 before 7.0.0.23 does not properly restrict access, which allows remote attackers to obtain sensitive client and request information via a direct request.

CVE-2012-0716 [MEDIUM] CWE-79 CVE-2012-0716: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server 7.0 before 7.0.0.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2012-0717 [LOW] CWE-287 CVE-2012-0717: IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain SSLv2 configuration with client IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain SSLv2 configuration with client authentication is used, allows remote attackers to bypass X.509 client-certificate authentication via unspecified vectors.

CVE-2012-2162 [MEDIUM] CWE-310 CVE-2012-2162: The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HT The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack.

CVE-2012-0707 [MEDIUM] CWE-79 CVE-2012-0707: Cross-site scripting (XSS) vulnerability in IBM WebSphere Lombardi Edition 7.2 allows remote attacke Cross-site scripting (XSS) vulnerability in IBM WebSphere Lombardi Edition 7.2 allows remote attackers to inject arbitrary web script or HTML via crafted text input to a coach that is configured with a document attachment control section.

CVE-2012-0193 [MEDIUM] CWE-20 CVE-2012-0193: IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.2 IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.23, and 8.0 before 8.0.0.3 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVE-2011-1376 [MEDIUM] CWE-264 CVE-2011-1376: iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8. iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 on the IBM i platform sets weak permissions under systemapps/isclite.ear/ and bin/client_ffdc/, which allows local users to read or modify files via standard filesystem operations.

CVE-2011-1377 [CRITICAL] CVE-2011-1377: The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphe The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphere Application Server (WAS) 6.1 does not properly handle the enabling of WS-Security for a JAX-WS application, which has unspecified impact and attack vectors.

CVE-2011-1362 [MEDIUM] CVE-2011-1362: Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 and 7.0 before 7.0.0.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for C

CVE-2011-5065 [MEDIUM] CWE-79 CVE-2011-5065: Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0. Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 allows remote attackers to inject arbitrary web script or HTML via vectors related to web messaging.

CVE-2011-5066 [LOW] CWE-200 CVE-2011-5066: The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Applicati The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log

CVE-2009-2748 [MEDIUM] CWE-79 CVE-2009-2748: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.29 and 7.1 before 7.0.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2009-2747 [MEDIUM] CWE-264 CVE-2009-2747: The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (W The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call.

CVE-2011-1368 [MEDIUM] CWE-200 CVE-2011-1368: The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors.

CVE-2011-1359 [MEDIUM] CWE-22 CVE-2011-1359: Directory traversal vulnerability in the administration console in IBM WebSphere Application Server Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.

CVE-2011-1355 [MEDIUM] CWE-20 CVE-2011-1355: Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 be Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage parameter.

CVE-2011-1356 [LOW] CWE-200 CVE-2011-1356: IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local user IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local users to obtain sensitive stack-trace information via a crafted Administration Console request.