The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of IBM WebSphere Application Server Traditional

computer vulnerability CVE-2018-1926

WebSphere AS: Cross Site Request Forgery via Admin Console

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery via Admin Console of WebSphere AS, in order to force the victim to perform operations.
Impacted products: Rational ClearCase, Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 11/12/2018.
Identifiers: CVE-2018-1926, ibm10742301, ibm10791781, ibm10793329, VIGILANCE-VUL-27995.

Description of the vulnerability

The WebSphere AS product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery via Admin Console of WebSphere AS, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-1901

WebSphere AS: privilege escalation via Cached Value

Synthesis of the vulnerability

An attacker can bypass restrictions via Cached Value of WebSphere AS, in order to escalate his privileges.
Impacted products: Tivoli System Automation, WebSphere AS Liberty, WebSphere AS Traditional.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 11/12/2018.
Identifiers: CVE-2018-1901, ibm10738727, ibm10793335, VIGILANCE-VUL-27994.

Description of the vulnerability

An attacker can bypass restrictions via Cached Value of WebSphere AS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-1957

WebSphere AS: information disclosure via httpServletRequest-authenticate

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via httpServletRequest::authenticate() of WebSphere AS, in order to obtain sensitive information.
Impacted products: Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 07/12/2018.
Identifiers: CERTFR-2018-AVI-589, CVE-2018-1957, ibm10744247, ibm10793327, VIGILANCE-VUL-27982.

Description of the vulnerability

An attacker can bypass access restrictions to data via httpServletRequest::authenticate() of WebSphere AS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-1905

WebSphere AS: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to WebSphere AS, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Rational ClearCase, WebSphere AS Traditional.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 21/11/2018.
Identifiers: CVE-2018-1905, ibm10738721, ibm10744257, VIGILANCE-VUL-27842.

Description of the vulnerability

An attacker can transmit malicious XML data to WebSphere AS, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-1797

WebSphere AS: directory traversal via EBA

Synthesis of the vulnerability

An attacker can traverse directories via EBA of WebSphere AS, in order to create a file outside the service root path.
Impacted products: Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 15/11/2018.
Identifiers: CVE-2018-1797, ibm10730699, ibm10743907, VIGILANCE-VUL-27795.

Description of the vulnerability

An attacker can traverse directories via EBA of WebSphere AS, in order to create a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-1643

WebSphere AS: Cross Site Scripting via Installation Verification Tool

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Installation Verification Tool of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Rational ClearCase, Security Directory Server, Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/11/2018.
Identifiers: CERTFR-2018-AVI-539, CERTFR-2018-AVI-544, CVE-2018-1643, ibm10716857, ibm10743909, ibm10794423, ibm10869322, VIGILANCE-VUL-27759.

Description of the vulnerability

The WebSphere AS product offers a web service.

However, it does not filter received data via Installation Verification Tool before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Installation Verification Tool of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-1798

WebSphere AS: Cross Site Scripting via SIBMsgMigration Utility

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via SIBMsgMigration Utility of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 09/11/2018.
Identifiers: CERTFR-2018-AVI-539, CVE-2018-1798, ibm10730703, ibm10743903, VIGILANCE-VUL-27743.

Description of the vulnerability

The WebSphere AS product offers a web service.

However, it does not filter received data via SIBMsgMigration Utility before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via SIBMsgMigration Utility of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-1767

WebSphere AS: Cross Site Scripting via CacheMonitor

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via CacheMonitor of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Tivoli System Automation, WebSphere AS Liberty, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/10/2018.
Identifiers: CVE-2018-1767, ibm10729547, ibm10739945, VIGILANCE-VUL-27620.

Description of the vulnerability

The WebSphere AS product offers a web service.

However, it does not filter received data via CacheMonitor before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via CacheMonitor of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-1007

Apache Struts 1.3: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Apache Struts 1.3, in order to run JavaScript code in the context of the web site.
Impacted products: Struts, Tivoli System Automation, WebSphere AS Traditional, Oracle Communications.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/10/2018.
Identifiers: 2016214, cpuoct2018, CVE-2012-1007, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, VIGILANCE-VUL-27508.

Description of the vulnerability

The Apache Struts 1.3 product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Apache Struts 1.3, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-1777

WebSphere AS: Cross Site Scripting via Admin Console

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Admin Console of WebSphere AS, in order to run JavaScript code in the context of the web site.
Impacted products: Rational ClearCase, Tivoli System Automation, WebSphere AS Traditional.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/10/2018.
Identifiers: CVE-2018-1777, ibm10720259, ibm10730631, ibm10737723, VIGILANCE-VUL-27498.

Description of the vulnerability

The WebSphere AS product offers a web service.

However, it does not filter received data via Admin Console before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Admin Console of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about IBM WebSphere Application Server Traditional: