Redhat Jboss Bpm Suite vulnerabilities

CVE-2018-19360 [CRITICAL] CWE-502 CVE-2018-19360: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leve FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

CVE-2018-19361 [CRITICAL] CWE-502 CVE-2018-19361: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leve FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

CVE-2018-19362 [CRITICAL] CWE-502 CVE-2018-19362: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leve FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

CVE-2016-6343 [MEDIUM] CWE-79 CVE-2016-6343: JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice auth JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.

CVE-2016-8608 [MEDIUM] CVE-2016-8608: JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.

CVE-2017-2658 [LOW] CWE-20 CVE-2017-2658: It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 an It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjac

CVE-2017-7463 [MEDIUM] CWE-79 CVE-2017-7463: JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A m JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.

CVE-2017-2674 [MEDIUM] CWE-20 CVE-2017-2674: JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Busine JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, inclu

CVE-2017-7545 [MEDIUM] CWE-611 CVE-2017-7545: It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external param It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

CVE-2015-7501 [CRITICAL] CWE-502 CVE-2015-7501: Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualiza Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Ha

CVE-2016-5401 [HIGH] CWE-352 CVE-2016-5401: Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attac Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.

CVE-2016-5398 [MEDIUM] CWE-79 CVE-2016-5398: Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite befor Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes.

CVE-2016-7034 [HIGH] CWE-352 CVE-2016-7034: The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated duri The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

CVE-2016-6344 [MEDIUM] CWE-200 CVE-2016-6344: Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.

CVE-2016-7033 [MEDIUM] CWE-79 CVE-2016-7033: Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBo Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBoss BPM Suite 6.3.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2016-4999 [CRITICAL] CWE-89 CVE-2016-4999: SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/datapro SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.

CVE-2015-1818 [HIGH] CVE-2015-1818: XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org. XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org.jboss.dashboard.export.ImportManagerImpl) in Red Hat JBoss BPM Suite before 6.1.2 allows remote attackers to read arbitrary files, conduct server-side request forgery (SSRF) attacks, and have other unspecified impact via a crafted XML document.

CVE-2013-6468 [MEDIUM] CWE-94 CVE-2013-6468: JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remot JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.