Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA74F53C564BC9A397A663D6D37FB2EAB633C6A0F9592C80C40C04AFC8B563964
HistoryDec 22, 2020 - 4:37 p.m.

Security Bulletin: Rational Synergy is affected by vulnerabilities (CVE-2014-5325 and CVE-2014-5326) in Java Open Source Direct Web Remoting library.

2020-12-2216:37:26
www.ibm.com
4

0.003 Low

EPSS

Percentile

71.1%

JSON

Summary

The DOMConverter, JDOMConverter, DOM4JConverter, and XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerability Details

CVEID: CVE-2014-5325 **DESCRIPTION:**Direct Web Remoting (DWR) could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain local system files and other sensitive information. **CVSS Base Score:**4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98687&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-5326 **DESCRIPTION:**Direct Web Remoting (DWR) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. **CVSS Base Score:**4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98686&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Rational Synergy 7.2.0.6 and earlier
Rational Synergy 7.2.1.3 and earlier

Remediation/Fixes

Issue is fixed in Rational Synergy by upgrading DWR library from version 2.0.3 to version 2.0.11.

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—

Rational Synergy

| 7.2.0.7| None| <http://www-01.ibm.com/support/docview.wss?uid=swg24039200&gt;

Rational Synergy

| 7.2.1.3| None| <http://www.ibm.com/support/docview.wss?uid=swg24040012&gt;

Related

ibm 1
cve 2
github 2
cvelist 2
prion 2
jvn 2
osv 2
nvd 2
ibm
ibm
Security Bulletin: Rational Change is affected by vulnerabilities (CVE-2014-5325 and CVE-2014-5326) in Java Open Source Direct Web Remoting library.
2018-06-17 05:00:45
cve
cve
CVE-2014-5326
2014-11-24 02:59:03
CVE-2014-5325
2014-11-24 02:59:01
github
github
Improper Neutralization of Input During Web Page Generation in Direct Web Remoting
2022-05-17 04:21:06
Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting
2022-05-17 03:46:06
cvelist
cvelist
CVE-2014-5326
2014-11-24 02:00:00
CVE-2014-5325
2014-11-24 02:00:00
prion
prion
Cross site scripting
2014-11-24 02:59:00
Xxe
2014-11-24 02:59:00
jvn
jvn
JVN#52422792: Direct Web Remoting (DWR) vulnerable to cross-site scripting
2014-11-14 00:00:00
JVN#91502163: Direct Web Remoting (DWR) vulnerable to XML external entity injection
2014-11-14 00:00:00
osv
osv
Improper Neutralization of Input During Web Page Generation in Direct Web Remoting
2022-05-17 04:21:06
Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting
2022-05-17 03:46:06
nvd
nvd
CVE-2014-5326
2014-11-24 02:59:03
CVE-2014-5325
2014-11-24 02:59:01

0.003 Low

EPSS

Percentile

71.1%

JSON
Related for A74F53C564BC9A397A663D6D37FB2EAB633C6A0F9592C80C40C04AFC8B563964
ibm1cve2github2cvelist2prion2jvn2osv2nvd2