318 matches found
Security Bulletin: Multiple vulnerabilities affect Java Server Faces (JSF) used by WebSphere Application Server (CVE-2017-1583, CVE-2011-4343)
Summary There are two potential infomation disclosure vulnerabilities that affects the Java Server Faces JSF component used by WebSphere Application Server. Vulnerability Details CVEID: CVE-2017-1583 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to obtain sensitive...
Cisco Prime Data Center Network Manager File Upload RCE (cisco-sa-20180502-prime-upload)
The Cisco Prime Data Center Network Manager DCNM running on the remote host is affected by a remote code execution vulnerability due to improper input validation of the parameters in an HTTP request processed by the XmpFileUploadServlet servlet. An unauthenticated, remote attacker can exploit thi...
tomcat: Information Disclosure when using VirtualDirContext
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request...
tomcat: Remote Code Execution via JSP Upload
A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution...
DS Data Systems KonaKart eCommerce Platform Directory Traversal Vulnerability
DS Data Systems KonaKart eCommerce Platform is a Java-based eCommerce software from DS Data Systems, UK. The software enhances modules such as shopping cart, payment and order summarization. A directory traversal vulnerability exists in the administration panel of DS Data Systems KonaKart eCommer...
IBM TRIRIGA Application Platform Input Validation Vulnerability
The IBM TRIRIGA Application Platform is a set of technology platforms for deploying TRIRIGA applications from IBM in the United States. The platform provides a set of design-time and run-time components for building and running its enterprise applications, respectively, and supports...
CVE-2016-0300
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 might allow remote attackers to access arbitrary JSP pages via vectors related to improper input validation. IBM X-Force ID: 111412...
undertow: Long URL proxy request lead to java.nio.BufferOverflowException and DoS
It was discovered that a long URL sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a Denial of Service...
BSA-2017-447
Security Advisory ID : BSA-2017-447 Component : Apache Revision : 2.0: Final When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to fals...
Apache Tomcat Patches Important Remote Code Execution Flaw
The Apache Tomcat team has recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorised attacker to execute malicious code on affected servers remotely. Apache Tomcat, developed by the Apache Software Foundation ASF, is an open source web server and...
Apache Tomcat Remote Code Execution Vulnerability (CNVD-2017-30092)
Apache Tomcat is a popular open source JSP application server program. Apache Tomcat has a remote code execution vulnerability. With HTTP PUT enabled in Apache Tomcat, an attacker can upload an arbitrary JSP file to the server via a constructed request, resulting in remote code execution...
CVE-2017-14105
HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at...
tomcat: security manager bypass via JSP Servlet config parameters
It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet...
[SECURITY] Fedora 26 Update: jetty-9.4.6-1.v20170531.fc26
Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server like Apache in ord er to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate...
CMS4J suffers from an arbitrary file download vulnerability patch bypass vulnerability
CMS4J is a CMS system developed by Beijing Paidao Network based on JSP program. CMS4J has an arbitrary file download vulnerability patch bypass vulnerability. The vulnerability arises from the DownloadFile servlet arbitrary file download repair code to download the file filtering is not strict, c...
Buffer overflow
Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware subcomponent: Java Server Faces. The supported version that is affected is 3.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle...
UBUNTU-CVE-2017-3626
Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware subcomponent: Java Server Faces. The supported version that is affected is 3.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle...
CVE-2017-3626
Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware subcomponent: Java Server Faces. The supported version that is affected is 3.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle...
CVE-2017-3626
Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware subcomponent: Java Server Faces. The supported version that is affected is 3.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle...
Oracle GlassFish Server 3.1.2.x < 3.1.2.17 Java Server Faces Information Disclosure (April 2017 CPU)
According to its self-reported version, the Oracle GlassFish Server running on the remote host is 3.1.2.x prior to 3.1.2.17. It is, therefore, affected by an unspecified flaw in the Java Server Faces subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive...