Rws Worldserver vulnerabilities
7 known vulnerabilities affecting rws/worldserver.
Total CVEs
7
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH1MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2022-34267P1CRITICALCVSS 9.8PoCfixed in 11.7.32023-12-25
CVE-2022-34267 [CRITICAL] CWE-287 CVE-2022-34267: An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint.
nvd
CVE-2023-38357P3MEDIUMCVSS 5.3PoCfixed in 11.8.02023-08-01
CVE-2023-38357 [MEDIUM] CWE-331 CVE-2023-38357: Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leadi
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
nvd
CVE-2022-34268P3CRITICALCVSS 9.8fixed in 11.7.32023-12-25
CVE-2022-34268 [CRITICAL] CWE-502 CVE-2022-34268: An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects wit
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.
nvd
CVE-2022-34269P3HIGHCVSS 8.8fixed in 11.7.32024-02-29
CVE-2022-34269 [HIGH] CWE-918 CVE-2022-34269: An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perf
An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution.
nvd
CVE-2022-34270P3CRITICALCVSS 9.8fixed in 11.7.32024-02-29
CVE-2022-34270 [CRITICAL] CWE-284 CVE-2022-34270: An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Ad
An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager.
nvd
CVE-2024-50848P3MEDIUMCVSS 6.5v11.8.22024-11-18
CVE-2024-50848 [MEDIUM] CWE-611 CVE-2024-50848: An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functi
An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.
nvd
CVE-2024-50849P4MEDIUMCVSS 4.8v11.8.22024-11-18
CVE-2024-50849 [MEDIUM] CWE-79 CVE-2024-50849: A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.
A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.2 allows a remote authenticated attacker to execute arbitrary JavaScript code.
nvd