CVE-2020-4703

CVE-2020-4703 affects IBM Spectrum Protect Plus 10.1.0–10.1.6 (Administrative Console). The issue allows an authenticated attacker to upload arbitrary files, which could be used to execute arbitrary code on the vulnerable server. It stems from an incomplete fix for CVE-2020-4470. Exploitation req...

Vulnerability fixed in WebSphere Application Server Admin Console

IBM has fixed a vulnerability in the WebSphere Application Server Admin Console. The attack that can exploit this vulnerability exploit is referred to as Cross-Site Scripting. The vulnerability allows an unauthenticated remote malicious person is able to execute arbitrary code in the browser of t...

keycloak: security headers missing on REST endpoints

A flaw was found in Keycloak’s Admin Console, where it is missing HTTP security headers in HTTP responses. This issue is not a direct vulnerability and may not lead to a security issue, but increases the chances of allowing attackers to exploit other security flaws. Examples of these possible...

keycloak: security headers missing on REST endpoints

A flaw was found in Keycloak’s Admin Console, where it is missing HTTP security headers in HTTP responses. This issue is not a direct vulnerability and may not lead to a security issue, but increases the chances of allowing attackers to exploit other security flaws. Examples of these possible...

keycloak: security headers missing on REST endpoints

A flaw was found in Keycloak’s Admin Console, where it is missing HTTP security headers in HTTP responses. This issue is not a direct vulnerability and may not lead to a security issue, but increases the chances of allowing attackers to exploit other security flaws. Examples of these possible...

keycloak: security headers missing on REST endpoints

A flaw was found in Keycloak’s Admin Console, where it is missing HTTP security headers in HTTP responses. This issue is not a direct vulnerability and may not lead to a security issue, but increases the chances of allowing attackers to exploit other security flaws. Examples of these possible...

keycloak: stored XSS in client settings via application links

A flaw was found during the assessment of the Admin Console application for Keycloak, where it was found that Application Links to external applications are not validated properly. An attacker could use this flaw to cause Stored XSS attacks...

CVE-2020-13932

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and th...

CVE-2020-13932

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and th...

Cross site scripting

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and th...

CVE-2020-13932

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and th...

CVE-2004-1653 SSH port forwarding exposes unprotected internal services

An improper access control vulnerability in the admin SSH console of multiple products may allow an authenticated user to access internal only system services via using SSH local port forwarding. A successful attack needs an authenticated admin SSH user to set up a port bounce to product internal...

CVE-2020-4470

CVE-2020-4470 affects IBM Spectrum Protect Plus Administrative Console (versions 10.1.0–10.1.5). The root cause is an incomplete fix that allowed an authenticated attacker to upload arbitrary files, which could be exploited to execute code on the vulnerable server. Public sources describe a follo...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Network Manager (CVE-2019-4670)

Summary IBM WebSphere Application Server is shipped with IBM Tivoli Network Manager version 3.9 & 4.1.1; IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has bee...

Input validation

An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI...

keycloak: stored XSS in client settings via application links

A flaw was found during the assessment of the Admin Console application for Keycloak, where it was found that Application Links to external applications are not validated properly. An attacker could use this flaw to cause Stored XSS attacks...

IBM WebSphere Application Server Admin Console 7.0.0.0 <= 7.0.0.45 / 8.0.0.0 <= 8.0.0.15 / 8.5.0.0 <= 8.5.5.14 / 9.0.0.0 <= 9.0.0.9 XSS

A cross-site scripting vulnerability exists in WebSphere Application Server Admin Console. A user can embed arbitrary JavaScript code in the Web UI, potentially altering intended functionality leading to possible credential disclosure within a trusted session %NASLMINLEVEL 70300 C Tenable Network...

Red Hat Keycloak Code Execution Vulnerability

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A security vulnerability exists in the admin console in Red Hat Keycloak. The vulnerability can be exploited by an attacker to execute arbitrar...

CVE-2020-9315

PRODUCT NOT SUPPORTED WHEN ASSIGNED Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE: a related support policy can be found in the www.oracle.com references...

CVE-2019-10170

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the...