Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454
HistoryMar 22, 2022 - 4:08 p.m.

Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js

2022-03-2216:08:59
www.ibm.com
14

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.973 High

EPSS

Percentile

99.9%

JSON

Summary

Multiple security vulnerabilities in packages such as Apache Struts and Node.js affect WebSphere Service Registry and Repository. These have been addressed.

Vulnerability Details

CVEID:CVE-2014-0114
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92889 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2019-10086
**DESCRIPTION:**Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2017-18640
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174331 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-15494
**DESCRIPTION:**Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148556 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2015-8854
**DESCRIPTION:**The Node.js marked module is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could exploit this vulnerability using a regular expression to cause the application to hang.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/112561 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-9251
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-14863
**DESCRIPTION:**Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173893 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2016-10531
**DESCRIPTION:**Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/149101 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2017-1000427
**DESCRIPTION:**Marked is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data: URI parser. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/137243 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-11023
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181350 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-11022
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-11358
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-7676
**DESCRIPTION:**angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183379 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-3721
**DESCRIPTION:**Node.js lodash module could allow a remote attacker to bypass security restrictions, caused by a flaw in the defaultsDeep, 'merge, and mergeWith functions. By modifing the prototype of Object, an attacker could exploit this vulnerability to add or modify existing property that will exist on all objects.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
WebSphere Service Registry and Repository 8.5.x

Remediation/Fixes

For all versions of WebSphere Service Registry and Repository:

Workarounds and Mitigations

None

Related

ibm 77
atlassian 6
altlinux 1
nessus 23
oraclelinux 2
osv 15
ubuntu 1
openvas 14
suse 1
attackerkb 2
githubexploit 3
hp 1
fedora 5
joomla 1
debian 3
checkpoint_advisories 1
drupal 1
redhat 4
rocky 1
typo3 1
gentoo 1
cve 5
github 4
ubuntucve 5
nodejs 2
redhatcve 3
debiancve 4
veracode 3
prion 5
f5 2
packetstorm 1
zdt 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities found in third party libraries used by IBM® MobileFirst Platform
2023-04-19 17:26:48
Security Bulletin: jQuery included in ITNM is vulnerable to Cross-site Scripting (XSS) attacks (multiple vulnerabilities)
2023-01-05 15:14:50
Security Bulletin: Vulnerability in jQuery affects IBM Process Mining (Multiple CVEs)
2023-02-01 21:57:35
atlassian
atlassian
Update jQuery to avoid CVE-2020-11022, CVE-2020-11023, and CVE-2015-9251
2021-02-16 18:28:38
Jira uses vulnerable jQuery version CVE-2015-9251
2020-04-20 13:29:57
Update jQuery to avoid CVE-2020-11022 and CVE-2020-11023
2021-02-02 09:59:24
altlinux
altlinux
Security fix for the ALT Linux 9 package phpipam version 1.42.027-alt1
2020-10-21 00:00:00
nessus
nessus
Fedora 32 : marked (2020-d714c08261)
2020-06-04 00:00:00
Fedora 31 : marked (2020-5eca570e16)
2020-06-01 00:00:00
Ubuntu 16.04 ESM / 18.04 ESM : Apache Commons BeanUtils vulnerabilities (USN-4766-1)
2023-10-16 00:00:00
oraclelinux
oraclelinux
apache-commons-beanutils security update
2020-01-22 00:00:00
jquery-ui security update
2022-03-01 00:00:00
osv
osv
commons-beanutils vulnerabilities
2021-03-15 20:06:47
jquery - security update
2021-03-25 00:00:00
drupal7 - security update
2020-05-26 00:00:00
ubuntu
ubuntu
Apache Commons BeanUtils vulnerabilities
2021-03-15 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-4766-1)
2023-01-27 00:00:00
openSUSE: Security Advisory for otrs (openSUSE-SU-2020:1888-1)
2020-11-10 00:00:00
Debian: Security Advisory (DLA-2608-1)
2021-03-26 00:00:00
suse
suse
Security update for otrs (moderate)
2020-11-10 00:00:00
attackerkb
attackerkb
CVE-2020-11022
2020-04-29 00:00:00
CVE-2020-11023
2020-04-29 00:00:00
githubexploit
githubexploit
Exploit for Cross-site Scripting in Jquery
2021-10-16 01:10:33
Exploit for Cross-site Scripting in Jquery
2020-04-14 19:12:01
Exploit for Cross-site Scripting in Angularjs Angular.Js
2020-12-01 09:45:48
hp
hp
HPSBPI03688 rev. 1 - Certain HP Printer and MFP products - Cross-Site Scripting (XSS)
2020-09-17 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: drupal8-8.9.0-1.fc32
2020-06-16 01:32:24
[SECURITY] Fedora 31 Update: marked-1.1.0-3.fc31
2020-05-31 03:58:57
[SECURITY] Fedora 32 Update: marked-1.1.0-3.fc32
2020-05-31 03:31:34
joomla
joomla
[20200604] - Core - XSS in jQuery.htmlPrefilter
2020-04-10 00:00:00
debian
debian
[SECURITY] [DLA 2608-1] jquery security update
2021-03-26 01:32:22
[SECURITY] [DSA 4693-1] drupal7 security update
2020-05-26 21:08:21
[SECURITY] [DLA 1492-1] dojo security update
2018-09-03 08:06:10
checkpoint_advisories
checkpoint_advisories
jQuery Cross Site Scripting (CVE-2020-11022; CVE-2020-11023)
2020-11-16 00:00:00
drupal
drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002
2020-05-20 00:00:00
redhat
redhat
(RHSA-2020:5249) Moderate: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
2020-11-30 14:00:30
(RHSA-2020:4211) Moderate: Red Hat AMQ Interconnect 1.9.0 release and security update
2020-10-08 06:44:00
(RHSA-2021:4142) Low: pcs security, bug fix, and enhancement update
2021-11-09 08:21:49
rocky
rocky
pcs security, bug fix, and enhancement update
2021-11-09 08:21:49
typo3
typo3
Cross-Site Scripting in extension "Kitodo.Presentation" (dlf)
2020-07-29 00:00:00
gentoo
gentoo
Cacti: Multiple vulnerabilities
2020-07-26 00:00:00
cve
cve
CVE-2015-8854
2017-01-23 21:59:00
CVE-2017-1000427
2018-01-02 23:29:00
CVE-2019-14863
2020-01-02 15:15:00
github
github
Regular Expression Denial of Service in marked
2017-10-24 18:33:36
Marked vulnerable to XSS from data URIs
2018-01-04 21:04:19
dojox vulnerable to unescaped string injection
2018-10-15 22:03:48
ubuntucve
ubuntucve
CVE-2017-1000427
2018-01-02 00:00:00
CVE-2015-8854
2017-01-23 00:00:00
CVE-2019-14863
2020-01-02 00:00:00
nodejs
nodejs
Regular Expression Denial of Service
2015-10-17 19:41:46
Cross-Site Scripting
2020-01-10 20:46:03
redhatcve
redhatcve
CVE-2019-14863
2019-10-21 13:21:25
CVE-2018-15494
2018-08-23 05:54:01
CVE-2020-7676
2020-06-19 20:29:14
debiancve
debiancve
CVE-2017-1000427
2018-01-02 23:29:00
CVE-2015-8854
2017-01-23 21:59:00
CVE-2018-15494
2018-08-18 02:29:00
veracode
veracode
Cross-site Scripting (XSS)
2017-01-27 04:09:58
Cross-Site Scripting (XSS)
2018-08-20 07:17:16
Denial Of Service (DoS)
2020-02-13 05:33:31
prion
prion
Design/Logic Flaw
2018-01-02 23:29:00
Code injection
2017-01-23 21:59:00
Sql injection
2018-08-18 02:29:00
f5
f5
K05052081 : NodeJS vulnerability CVE-2015-8854
2019-11-25 00:00:00
K32412075 : AngularJS XSS vulnerability CVE-2020-7676
2021-07-23 00:00:00
packetstorm
packetstorm
Dojo Toolkit 1.13 Cross Site Scripting
2018-08-27 00:00:00
zdt
zdt
Dojo Toolkit 1.13 Cross Site Scripting Vulnerability
2018-08-28 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.973 High

EPSS

Percentile

99.9%

JSON
Related for 63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454
ibm77atlassian6altlinux1nessus23oraclelinux2osv15ubuntu1openvas14suse1attackerkb2githubexploit3hp1fedora5joomla1debian3checkpoint_advisories1drupal1redhat4rocky1typo31gentoo1cve5github4ubuntucve5nodejs2redhatcve3debiancve4veracode3prion5f52packetstorm1zdt1