Ibm Websphere Application Server vulnerabilities

CVE-2011-0316 [MEDIUM] CWE-264 CVE-2011-0316: The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 a The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request.

CVE-2011-0315 [MEDIUM] CWE-79 CVE-2011-0315: Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebS Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application.

CVE-2010-0786 [MEDIUM] CWE-20 CVE-2010-0786: The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 do The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request that leads to incorrectly encoded data.

CVE-2010-0784 [MEDIUM] CWE-79 CVE-2010-0784: Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2010-0783 [MEDIUM] CWE-79 CVE-2010-0783: Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2010-4220 [MEDIUM] CWE-79 CVE-2010-4220: Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Co Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

CVE-2010-0785 [MEDIUM] CWE-352 CVE-2010-0785: Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Appli Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2010-3700 [MEDIUM] CWE-264 CVE-2010-3700: VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.

CVE-2010-0781 [MEDIUM] CVE-2010-0781: Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6. Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL.

CVE-2010-3186 [CRITICAL] CWE-20 CVE-2010-3186: IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors.

CVE-2010-0779 [MEDIUM] CWE-79 CVE-2010-0779: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2010-0778 [MEDIUM] CWE-79 CVE-2010-0778: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2010-2324 [HIGH] CVE-2010-2324: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspe IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors.

CVE-2010-2326 [MEDIUM] CWE-200 CVE-2010-2326: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file.

CVE-2010-2325 [MEDIUM] CWE-79 CVE-2010-2325: Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

CVE-2010-2328 [MEDIUM] CVE-2010-2328: The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attacke The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression.

CVE-2010-2327 [MEDIUM] CWE-20 CVE-2010-2327: mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a denial of service (daemon fail) via an upload.

CVE-2010-2323 [MEDIUM] CWE-200 CVE-2010-2323: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain s IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT.

CVE-2010-0775 [MEDIUM] CWE-399 CVE-2010-0775: Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a crafted request, related to the nodeagent and Deployment Manager components.

CVE-2010-0776 [MEDIUM] CWE-20 CVE-2010-0776: The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31 The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request.