IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.
Max CVSS
7.2
EPSS Score
0.04%
Published
1999-12-02
Updated
2008-09-09
IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
Max CVSS
7.5
EPSS Score
0.18%
Published
2000-06-08
Updated
2024-01-26
Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the Javascript into (1) a request for a .JSP file, or (2) a request to the webapp/examples/ directory, which inserts the Javascript into an error page.
Max CVSS
7.5
EPSS Score
0.23%
Published
2001-12-06
Updated
2008-09-10
IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing.
Max CVSS
7.5
EPSS Score
1.58%
Published
2001-09-19
Updated
2017-10-10
Buffer overflow in the administrative console in IBM WebSphere Application Server 5.x, when the global security option is enabled, allows remote attackers to execute arbitrary code.
Max CVSS
7.5
EPSS Score
75.37%
Published
2005-06-03
Updated
2016-10-18
Double free vulnerability in the BBOORB module in IBM WebSphere Application Server for z/OS 5.0 allows attackers to cause a denial of service (ABEND).
Max CVSS
7.8
EPSS Score
0.94%
Published
2005-11-22
Updated
2011-03-08
IBM WebSphere Application Server 6.0.2 before FixPack 3 allows remote attackers to bypass authentication for the Welcome Page via a request to the default context root.
Max CVSS
7.5
EPSS Score
15.51%
Published
2006-05-12
Updated
2017-07-20
IBM WebSphere Application Server 5.0.2 (or any earlier cumulative fix) and 5.1.1 (or any earlier cumulative fix) allows EJB access on Solaris systems via a crafted LTPA token.
Max CVSS
7.5
EPSS Score
2.02%
Published
2006-05-17
Updated
2011-03-08
WebSphere Application Server 5.0.2 (or any earlier cumulative fix) stores admin and LDAP passwords in plaintext in the FFDC logs when a login to WebSphere fails, which allows attackers to gain privileges.
Max CVSS
7.5
EPSS Score
0.42%
Published
2006-05-17
Updated
2011-03-08
Multiple unspecified vulnerabilities in IBM WebSphere Application Server before 6.1.0.1 have unspecified impact and attack vectors involving (1) "SOAP requests and responses", (2) mbean, (3) ThreadIdentitySupport, and possibly others.
Max CVSS
7.5
EPSS Score
0.69%
Published
2006-08-14
Updated
2011-03-08
The Web Services Notification (WSN) security component of IBM WebSphere Application Server before 6.1.0.2 allows attackers to obtain unspecified access without supplying a username and password, aka PK28374.
Max CVSS
7.5
EPSS Score
0.60%
Published
2006-10-17
Updated
2011-03-08
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a single CRLF sequence in a context that is not a valid multi-line header.
Max CVSS
7.5
EPSS Score
2.52%
Published
2007-03-22
Updated
2017-07-29
Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact and attack vectors.
Max CVSS
7.5
EPSS Score
0.39%
Published
2007-04-11
Updated
2017-07-29
Unspecified vulnerability in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1.0.7 and earlier allows remote attackers to cause a denial of service related to a thread hang, and possibly related to a "TCP issue," or to MPAlarmThread and a resultant memory leak.
Max CVSS
7.8
EPSS Score
3.48%
Published
2007-06-19
Updated
2017-07-29
Unspecified vulnerability in the PD tools component in IBM WebSphere Application Server (WAS) 6.1 before Fix Pack 11 (6.1.0.11) has unknown impact and attack vectors, aka PK33803.
Max CVSS
7.5
EPSS Score
0.24%
Published
2007-09-12
Updated
2012-10-31
The HTTP_Request_Parser method in the HTTP Transport component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 allows remote attackers to cause a denial of service (controller 0C4 abend and application hang) via a long HTTP Host header, related to "storage overlay" on the stack and a "parse failure."
Max CVSS
7.8
EPSS Score
1.90%
Published
2008-10-22
Updated
2017-08-08
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0.1 on z/OS allows attackers to read arbitrary files via unknown vectors.
Max CVSS
7.8
EPSS Score
0.35%
Published
2009-02-02
Updated
2011-03-08
The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere Application Server (WAS), set incorrect permissions for AF_UNIX sockets, which has unknown impact and local attack vectors.
Max CVSS
7.2
EPSS Score
0.05%
Published
2009-02-10
Updated
2017-08-08
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console.
Max CVSS
7.5
EPSS Score
0.74%
Published
2009-03-16
Updated
2017-08-08
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted request to a JAX-WS application.
Max CVSS
7.5
EPSS Score
0.33%
Published
2009-06-25
Updated
2017-08-17
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB).
Max CVSS
7.5
EPSS Score
0.66%
Published
2009-08-13
Updated
2017-08-17
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property.
Max CVSS
7.5
EPSS Score
0.78%
Published
2009-08-13
Updated
2017-08-17
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in ibm-portlet-ext.xmi, which allows remote attackers to bypass intended access restrictions via unknown vectors.
Max CVSS
7.5
EPSS Score
0.39%
Published
2009-08-13
Updated
2017-08-17
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of service via unknown vectors, related to "an error in fixpacks 6.1.0.23 and 6.1.0.25."
Max CVSS
7.8
EPSS Score
0.69%
Published
2009-09-21
Updated
2017-08-17
Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors.
Max CVSS
7.5
EPSS Score
0.18%
Published
2010-03-29
Updated
2010-03-30
57 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!