| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of IBM WebSphere Application Server Traditional
WebSphere AS: Cross Site Request Forgery via Admin Console
Synthesis of the vulnerability
An attacker can trigger a Cross Site Request Forgery via Admin Console of WebSphere AS, in order to force the victim to perform operations.
Impacted products: Rational ClearCase, Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 11/12/2018.
Identifiers: CVE-2018-1926, ibm10742301, ibm10791781, ibm10793329, VIGILANCE-VUL-27995.
Description of the vulnerability
The WebSphere AS product offers a web service.
However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.
An attacker can therefore trigger a Cross Site Request Forgery via Admin Console of WebSphere AS, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: privilege escalation via Cached Value
Synthesis of the vulnerability
An attacker can bypass restrictions via Cached Value of WebSphere AS, in order to escalate his privileges.
Impacted products: Tivoli System Automation, WebSphere AS Liberty, WebSphere AS Traditional.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 11/12/2018.
Identifiers: CVE-2018-1901, ibm10738727, ibm10793335, VIGILANCE-VUL-27994.
Description of the vulnerability
An attacker can bypass restrictions via Cached Value of WebSphere AS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: information disclosure via httpServletRequest-authenticate
Synthesis of the vulnerability
An attacker can bypass access restrictions to data via httpServletRequest::authenticate() of WebSphere AS, in order to obtain sensitive information.
Impacted products: Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 07/12/2018.
Identifiers: CERTFR-2018-AVI-589, CVE-2018-1957, ibm10744247, ibm10793327, VIGILANCE-VUL-27982.
Description of the vulnerability
An attacker can bypass access restrictions to data via httpServletRequest::authenticate() of WebSphere AS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: external XML entity injection
Synthesis of the vulnerability
An attacker can transmit malicious XML data to WebSphere AS, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Rational ClearCase, WebSphere AS Traditional.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 21/11/2018.
Identifiers: CVE-2018-1905, ibm10738721, ibm10744257, VIGILANCE-VUL-27842.
Description of the vulnerability
An attacker can transmit malicious XML data to WebSphere AS, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: directory traversal via EBA
Synthesis of the vulnerability
An attacker can traverse directories via EBA of WebSphere AS, in order to create a file outside the service root path.
Impacted products: Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 15/11/2018.
Identifiers: CVE-2018-1797, ibm10730699, ibm10743907, VIGILANCE-VUL-27795.
Description of the vulnerability
An attacker can traverse directories via EBA of WebSphere AS, in order to create a file outside the service root path.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: Cross Site Scripting via Installation Verification Tool
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via Installation Verification Tool of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Rational ClearCase, Security Directory Server, Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/11/2018.
Identifiers: CERTFR-2018-AVI-539, CERTFR-2018-AVI-544, CVE-2018-1643, ibm10716857, ibm10743909, ibm10794423, ibm10869322, VIGILANCE-VUL-27759.
Description of the vulnerability
The WebSphere AS product offers a web service.
However, it does not filter received data via Installation Verification Tool before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via Installation Verification Tool of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: Cross Site Scripting via SIBMsgMigration Utility
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via SIBMsgMigration Utility of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 09/11/2018.
Identifiers: CERTFR-2018-AVI-539, CVE-2018-1798, ibm10730703, ibm10743903, VIGILANCE-VUL-27743.
Description of the vulnerability
The WebSphere AS product offers a web service.
However, it does not filter received data via SIBMsgMigration Utility before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via SIBMsgMigration Utility of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: Cross Site Scripting via CacheMonitor
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via CacheMonitor of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Tivoli System Automation, WebSphere AS Liberty, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/10/2018.
Identifiers: CVE-2018-1767, ibm10729547, ibm10739945, VIGILANCE-VUL-27620.
Description of the vulnerability
The WebSphere AS product offers a web service.
However, it does not filter received data via CacheMonitor before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via CacheMonitor of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Apache Struts 1.3: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of Apache Struts 1.3, in order to run JavaScript code in the context of the web site.
Impacted products: Struts, Tivoli System Automation, WebSphere AS Traditional, Oracle Communications.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/10/2018.
Identifiers: 2016214, cpuoct2018, CVE-2012-1007, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, VIGILANCE-VUL-27508.
Description of the vulnerability
The Apache Struts 1.3 product offers a web service.
However, it does not filter received data before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting of Apache Struts 1.3, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
WebSphere AS: Cross Site Scripting via Admin Console
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via Admin Console of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Rational ClearCase, Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/10/2018.
Identifiers: CVE-2018-1777, ibm10720259, ibm10730631, ibm10737723, VIGILANCE-VUL-27498.
Description of the vulnerability
The WebSphere AS product offers a web service.
However, it does not filter received data via Admin Console before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via Admin Console of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about IBM WebSphere Application Server Traditional:
|