Redhat Jboss Aerogear vulnerabilities

CVE-2014-3648 [HIGH] CWE-400 CVE-2014-3648: The simplepush server iterates through the application installations and pushes a notification to th The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's

CVE-2014-3650 [MEDIUM] CWE-79 CVE-2014-3650: Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input.

CVE-2014-3649 [MEDIUM] CWE-79 CVE-2014-3649: JBoss AeroGear has reflected XSS via the password field JBoss AeroGear has reflected XSS via the password field