34 matches found
RWS WorldServer - Authentication Bypass
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint. id: CVE-2022-34267 info: name: RWS...
EUVD-2023-42174
Malicious code in bioql PyPI...
CVE-2023-38357
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions...
CVE-2022-34268
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host...
CVE-2022-34269
An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/loaddtd?systemid= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution...
CVE-2022-34270
An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager...
CVE-2022-34267
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...
RWS WorldServer 安全漏洞
RWS WorldServer is a flexible, enterprise-class translation management system from RWS UK. A security vulnerability exists in RWS WorldServer version v11.8.2, which stems from the presence of an XML External Entity XXE vulnerability that allows an attacker to access sensitive information and...
CVE-2022-34269
An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/loaddtd?systemid= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution...
Design/Logic Flaw
An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager...
Server side request forgery (ssrf)
An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/loaddtd?systemid= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution...
RWS WorldServer Security Vulnerability
RWS WorldServer is a flexible, enterprise-class translation management system from RWS UK. A security vulnerability exists in RWS WorldServer versions prior to 11.7.3, which stems from the fact that a normal user can create a user with the role of administrator via UserWSUserManager...
CVE-2022-34268
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host...
CVE-2022-34267
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...
Authentication flaw
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...
Authentication flaw
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host...
CVE-2022-34267
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...
CVE-2022-34270
An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager...
CVE-2022-34268
An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host...
CVE-2022-34269
CVE-2022-34269 affects RWS WorldServer versions prior to 11.7.3. An authenticated, remote attacker can trigger a blind SSRF via the endpoint ws-legacy/load_dtd?system_id=, causing JSP code deployment to the Apache Axis service on localhost and resulting in command execution. Documented impact is ...