Redhat Jboss Enterprise Portal Platform vulnerabilities

22 known vulnerabilities affecting redhat/jboss_enterprise_portal_platform.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

HIGH5MEDIUM14LOW3

Vulnerabilities

Page 1 of 2

CVE-2015-3244MEDIUMCVSS 4.9v6.2.02015-07-16

CVE-2015-3244 [MEDIUM] CWE-264 CVE-2015-3244: The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with th The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID.

nvd

CVE-2014-7852MEDIUMCVSS 4.3v6.1.12014-12-11

CVE-2014-7852 [MEDIUM] CWE-79 CVE-2014-7852: Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as used in JBoss Portal 6.1.1, allows r Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as used in JBoss Portal 6.1.1, allows remote attackers to inject arbitrary web script or HTML via crafted URL, which is not properly handled in a CSS file.

nvd

CVE-2014-3518MEDIUMCVSS 6.8v5.2.22014-07-22

CVE-2014-3518 [MEDIUM] CWE-94 CVE-2014-3518: jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.

nvd

CVE-2011-4580MEDIUMCVSS 4.3≤ 5.1.1v4.3.0+3 more2014-02-26

CVE-2011-4580 [MEDIUM] CWE-79 CVE-2011-4580: Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Enterprise Portal Platform befo Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

nvd

CVE-2011-2941MEDIUMCVSS 5.8≤ 5.1.1v4.3.0+3 more2014-02-26

CVE-2011-2941 [MEDIUM] CWE-20 CVE-2011-2941: Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allows remote a Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the initialURI parameter.

nvd

CVE-2013-2185HIGHCVSS 7.5v6.0.02014-01-19

CVE-2013-2185 [HIGH] CWE-20 CVE-2013-2185: The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat J The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly dispute

nvd

CVE-2013-4424MEDIUMCVSS 4.3v6.1.02013-12-23

CVE-2013-4424 [MEDIUM] CWE-79 CVE-2013-4424: Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal component in Red Hat JBoss Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal component in Red Hat JBoss Portal 6.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

nvd

CVE-2013-2186HIGHCVSS 7.5v4.3.0v5.2.2+1 more2013-10-28

CVE-2013-2186 [HIGH] CWE-20 CVE-2013-2186: The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Port The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

nvd

CVE-2013-2102LOWCVSS 3.3≤ 6.0.0v4.3.0+7 more2013-10-28

CVE-2013-2102 [LOW] CWE-287 CVE-2013-2102: The default configuration of Red Hat JBoss Portal before 6.1.0 enables the JGroups diagnostics servi The default configuration of Red Hat JBoss Portal before 6.1.0 enables the JGroups diagnostics service with no authentication when a JGroups channel is started, which allows remote attackers to obtain sensitive information (diagnostics) by accessing the service.

nvd

CVE-2012-4572LOWCVSS 3.7≤ 6.0.0v4.3.0+7 more2013-10-28

CVE-2012-4572 [LOW] CWE-264 CVE-2012-4572: Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted ap

nvd

CVE-2012-5575MEDIUMCVSS 6.4v4.3.02013-08-19

CVE-2012-5575 [MEDIUM] CWE-310 CVE-2012-5575: Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify t Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt commu

nvd

CVE-2011-1483MEDIUMCVSS 5.0v4.3.0v5.1.12013-07-29

CVE-2011-1483 [MEDIUM] CVE-2011-1483: wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 d

nvd

CVE-2013-2165HIGHCVSS 7.5v4.3.0v5.0.0+6 more2013-07-23

CVE-2013-2165 [HIGH] CWE-264 CVE-2013-2165: ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framew ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1,

nvd

CVE-2013-0314HIGHCVSS 7.5v5.2.22013-04-12

CVE-2013-0314 [HIGH] CWE-287 CVE-2013-0314: The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly c The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.

nvd

CVE-2012-3532MEDIUMCVSS 6.8≤ 5.2.2v4.3.0+6 more2013-04-12

CVE-2012-3532 [MEDIUM] CWE-352 CVE-2012-3532: Cross-site request forgery (CSRF) vulnerability in the GateIn Portal component in JBoss Enterprise P Cross-site request forgery (CSRF) vulnerability in the GateIn Portal component in JBoss Enterprise Portal Platform 5.2.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

nvd

CVE-2013-0315MEDIUMCVSS 5.0v5.2.22013-04-12

CVE-2013-0315 [MEDIUM] CWE-264 CVE-2013-0315: The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attac The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.

nvd

CVE-2012-5531MEDIUMCVSS 4.3v5.2.22013-01-18

CVE-2012-5531 [MEDIUM] CWE-79 CVE-2012-5531: Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal in JBoss Enterprise Portal Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal in JBoss Enterprise Portal Platform 5.2.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

nvd

CVE-2011-4605HIGHCVSS 7.5v4.3.0v5.2.0+1 more2012-11-23

CVE-2011-4605 [HIGH] CWE-264 CVE-2011-4605: The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to

nvd

CVE-2011-4085MEDIUMCVSS 6.8≤ 4.3.02012-11-23

CVE-2011-4085 [MEDIUM] CVE-2011-4085: The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Pl The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnera

nvd

CVE-2011-1096MEDIUMCVSS 5.0≤ 5.2.1v5.0.0+4 more2012-11-23

CVE-2011-1096 [MEDIUM] CWE-310 CVE-2011-1096: The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Ente The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern atta

nvd

1 / 2Next →