Websphere Application Server Security Vulnerabilities and Issues — Page 4 of Websphere Application Server CVE List

Lucene search

IbmWebsphere Application Server

430 matches found

CVE•added 2011/09/06 3:55 p.m.•58 views

CVE-2011-1359

Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.

5CVSS6.4AI score0.00193EPSS

CVE•added 2014/12/18 4:59 p.m.•58 views

CVE-2014-6164

IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4 allows remote attackers to spoof OpenID and OpenID Connect cookies, and consequently obtain sensitive information, via a crafted URL.

5CVSS4.8AI score0.00376EPSS

CVE•added 2014/12/18 4:59 p.m.•58 views

CVE-2014-8890

IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations.

5.1CVSS5.3AI score0.01049EPSS

CVE•added 2017/07/21 8:29 p.m.•58 views

CVE-2017-1381

IBM WebSphere Application Server Proxy Server or On-demand-router (ODR) 7.0, 8.0, 8.5, 9.0 and could allow a local attacker to obtain sensitive information, caused by stale data being cached and then served. IBM X-Force ID: 127152.

3.3CVSS3.6AI score0.00057EPSS

CVE•added 2017/08/03 3:29 p.m.•58 views

CVE-2017-1504

IBM WebSphere Application Server version 9.0.0.4 could provide weaker than expected security after using the PasswordUtil command to enable AES password encryption. IBM X-Force ID: 129579.

6.5CVSS6.6AI score0.00157EPSS

CVE•added 2019/12/10 4:15 p.m.•58 views

CVE-2019-4663

IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245.

5.4CVSS5.6AI score0.00218EPSS

CVE•added 2022/11/11 7:15 p.m.•58 views

CVE-2022-40750

IBM WebSphere Application Server 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 2365...

5.4CVSS5.2AI score0.0018EPSS

CVE•added 2010/05/17 10:30 p.m.•57 views

CVE-2010-0776

The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request.

5CVSS6.4AI score0.00527EPSS

CVE•added 2011/03/08 9:59 p.m.•57 views

CVE-2011-1317

Memory leak in com.ibm.ws.jsp.runtime.WASJSPStrBufferImpl in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by sending many JSP requests that tri...

5CVSS6.5AI score0.00458EPSS

CVE•added 2012/06/20 10:27 a.m.•57 views

CVE-2012-0716

Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server 7.0 before 7.0.0.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS7.3AI score0.00266EPSS

CVE•added 2012/06/20 10:27 a.m.•57 views

CVE-2012-2170

The Application Snoop Servlet in IBM WebSphere Application Server 7.0 before 7.0.0.23 does not properly restrict access, which allows remote attackers to obtain sensitive client and request information via a direct request.

4.3CVSS8.7AI score0.00576EPSS

CVE•added 2013/01/27 6:55 p.m.•57 views

CVE-2013-0459

Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.27, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS7.3AI score0.00266EPSS

CVE•added 2013/04/24 10:28 a.m.•57 views

CVE-2013-0542

Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 allows remote attackers to inject arbitrary web script or HTML via crafted field values.

4.3CVSS7.5AI score0.00266EPSS

CVE•added 2014/05/01 5:29 p.m.•57 views

CVE-2014-0823

IBM WebSphere Application Server (WAS) 8.x before 8.0.0.9 and 8.5.x before 8.5.5.2 allows remote attackers to read arbitrary files via a crafted URL.

4.3CVSS8.9AI score0.0039EPSS

CVE•added 2014/12/18 4:59 p.m.•57 views

CVE-2014-6166

The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4, and Feature Pack for CEA 1.x before 1.0.0.15, allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entit...

4.3CVSS4.1AI score0.00364EPSS

CVE•added 2016/08/08 1:59 a.m.•57 views

CVE-2016-2960

IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.0.x before 8.0.0.13, 8.5.0.x before 8.5.5.10, 8.5.0.x and 16.0.0.x Liberty before Liberty Fix Pack 16.0.0.3, and 9.0.0.x before 9.0.0.1 allows remote attackers to cause a denial of service via crafted SIP messages.

4.3CVSS5.3AI score0.00676EPSS

CVE•added 2017/08/18 3:29 p.m.•57 views

CVE-2017-1501

IBM WebSphere Application Server 8.0, 8.5, and 9.0 could provide weaker than expected security after using the Admin Console to update the web services security bindings settings. IBM X-Force ID: 129576.

5.9CVSS5.7AI score0.00701EPSS

CVE•added 2019/03/06 8:29 p.m.•57 views

CVE-2019-4030

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 15594...

5.4CVSS5.3AI score0.0024EPSS

CVE•added 2019/04/02 2:29 p.m.•57 views

CVE-2019-4080

IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper parameter parsing. A remote attacker could exploit this to consume all available CPU resources. IBM X-Force ID: 157380.

6.8CVSS6.4AI score0.0134EPSS

CVE•added 2021/04/21 12:15 p.m.•57 views

CVE-2021-20454

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.

8.2CVSS8AI score0.00172EPSS

CVE•added 2022/01/25 5:15 p.m.•57 views

CVE-2021-39031

IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM...

8.8CVSS8.4AI score0.00409EPSS

CVE•added 2023/01/26 9:17 p.m.•57 views

CVE-2022-43917

IBM WebSphere Application Server 8.5 and 9.0 traditional container uses weaker than expected cryptographic keys that could allow an attacker to decrypt sensitive information. This affects only the containerized version of WebSphere Application Server traditional. IBM X-Force ID: 241045.

7.5CVSS6.4AI score0.00033EPSS

CVE•added 2013/04/24 10:28 a.m.•56 views

CVE-2013-0540

IBM WebSphere Application Server (WAS) Liberty Profile 8.5 before 8.5.0.2, when SSL is not enabled, does not properly validate authentication cookies, which allows remote authenticated users to bypass intended access restrictions via an HTTP session.

3.5CVSS8.9AI score0.00122EPSS

CVE•added 2014/08/22 1:55 a.m.•56 views

CVE-2014-3070

The addFileRegistryAccount Virtual Member Manager (VMM) SPI Admin Task in IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3 does not properly create accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors.

5CVSS5AI score0.01211EPSS

CVE•added 2017/06/08 9:29 p.m.•56 views

CVE-2016-9736

IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information.

5.3CVSS5.2AI score0.00304EPSS

CVE•added 2020/05/14 4:15 p.m.•56 views

CVE-2020-4365

IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964.

5.3CVSS4.4AI score0.00183EPSS

CVE•added 2020/10/01 4:15 p.m.•56 views

CVE-2020-4576

IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 184428.

7.5CVSS7.1AI score0.00442EPSS

CVE•added 2012/11/14 12:30 p.m.•55 views

CVE-2012-4850

IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1, when JAX-RS is used, does not properly validate requests, which allows remote attackers to gain privileges via unspecified vectors.

7.5CVSS9.3AI score0.00792EPSS

CVE•added 2012/11/14 12:30 p.m.•55 views

CVE-2012-4851

Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URI.

4.3CVSS7.3AI score0.0023EPSS

CVE•added 2013/04/24 10:28 a.m.•55 views

CVE-2013-0565

Cross-site scripting (XSS) vulnerability in the RPC adapter for the Web 2.0 and Mobile toolkit in IBM WebSphere Application Server (WAS) 8.5 before 8.5.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted response.

4.3CVSS7.3AI score0.00266EPSS

CVE•added 2013/08/21 9:55 p.m.•55 views

CVE-2013-3029

Cross-site request forgery (CSRF) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.31, 8.0 before 8.0.0.7, and 8.5 before 8.5.5.1 allows remote attackers to hijack the authentication of arbitrary users for requests that inse...

6.8CVSS8.7AI score0.00119EPSS

CVE•added 2013/08/21 9:55 p.m.•55 views

CVE-2013-4004

Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 8.0 before 8.0.0.7 and 8.5 before 8.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5CVSS6.9AI score0.00162EPSS

CVE•added 2014/01/16 8:55 p.m.•55 views

CVE-2013-6725

Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server 7.x before 7.0.0.31, 8.0.x before 8.0.0.8, and 8.5.x before 8.5.5.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a crafted URL.

3.5CVSS7AI score0.00291EPSS

CVE•added 2014/05/01 5:29 p.m.•55 views

CVE-2014-0857

The Administrative Console in IBM WebSphere Application Server (WAS) 8.x before 8.0.0.9 and 8.5.x before 8.5.5.2 allows remote authenticated users to obtain sensitive information via a crafted request.

4CVSS8.3AI score0.00253EPSS

CVE•added 2014/06/28 12:55 a.m.•55 views

CVE-2014-0891

IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.2 allows remote attackers to obtain sensitive information by leveraging incorrect request handling by the (1) Proxy or (2) ODR server.

5CVSS8.9AI score0.0039EPSS

CVE•added 2016/01/23 5:59 a.m.•55 views

CVE-2015-7417

Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 7.0 before 7.0.0.41, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.9 allows remote authenticated users to inject arbitrary web script or HTML via crafted data from an OAuth provider.

5.4CVSS5.1AI score0.00172EPSS

CVE•added 2018/06/26 8:29 p.m.•55 views

CVE-2018-1614

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. IBM X-Force ID: 144270.

7.5CVSS7.2AI score0.00586EPSS

CVE•added 2018/12/12 4:29 p.m.•55 views

CVE-2018-1901

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used. IBM X-Force ID: 152530.

8.8CVSS8.4AI score0.00739EPSS

CVE•added 2023/07/07 3:15 a.m.•55 views

CVE-2023-35890

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.

5.5CVSS5AI score0.00015EPSS

CVE•added 2006/05/17 10:6 a.m.•54 views

CVE-2006-2431

Cross-site scripting (XSS) vulnerability in the 500 Internal Server Error page on the SOAP port (8880/tcp) in IBM WebSphere Application Server 5.0.2 and earlier, 5.1.x before 5.1.1.12, and 6.0.2 up to 6.0.2.7, allows remote attackers to inject arbitrary web script or HTML via the URI, which is cont...

4.3CVSS5.6AI score0.01428EPSS

CVE•added 2010/04/01 7:30 p.m.•54 views

CVE-2010-0769

IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file.

1.9CVSS5.9AI score0.00054EPSS

CVE•added 2011/01/12 1:0 a.m.•54 views

CVE-2011-0316

The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request.

5CVSS6AI score0.00649EPSS

CVE•added 2011/03/08 9:59 p.m.•54 views

CVE-2011-1322

The SOAP with Attachments API for Java (SAAJ) implementation in the Web Services component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via encrypted SOAP messages.

5CVSS6.6AI score0.00527EPSS

CVE•added 2012/09/25 8:55 p.m.•54 views

CVE-2012-3304

The Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1 allows remote attackers to hijack sessions via unspecified vectors.

6.8CVSS9AI score0.00731EPSS

CVE•added 2014/01/16 8:55 p.m.•54 views

CVE-2013-6325

IBM WebSphere Application Server 7.x before 7.0.0.31, 8.0.x before 8.0.0.8, and 8.5.x before 8.5.5.2 allows remote attackers to cause a denial of service (resource consumption) via a crafted request to a web services endpoint.

4.3CVSS8.7AI score0.00923EPSS

CVE•added 2014/08/22 1:55 a.m.•54 views

CVE-2014-0965

IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

4.3CVSS8.6AI score0.00549EPSS

CVE•added 2018/10/16 7:29 p.m.•54 views

CVE-2018-1777

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Forc...

5.4CVSS5.3AI score0.00315EPSS

CVE•added 2018/12/12 4:29 p.m.•54 views

CVE-2018-1926

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a remote attacker could send a specially-crafted request. An attacker could exploit...

8.8CVSS8.3AI score0.00181EPSS

CVE•added 2022/09/13 9:15 p.m.•54 views

CVE-2022-34336

5.4CVSS5.1AI score0.00226EPSS

CVE•added 2000/10/13 4:0 a.m.•53 views

CVE-2000-0652

IBM WebSphere allows remote attackers to read source code for executable web files by directly calling the default InvokerServlet using a URL which contains the "/servlet/file" string.

5CVSS7AI score0.04191EPSS

Total number of security vulnerabilities430