News
Vigil@nce - WebSphere 8.5: multiple vulnerabilities
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of WebSphere 8.5.
Impacted products: WebSphere AS
Severity: 2/4
Creation date: 30/04/2014
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in WebSphere 8.5.
An attacker can use Compute Grid, in order to obtain sensitive
information. [severity:2/4; CVE-2013-4039, PM84760]
An attacker can trigger a Cross Site Scripting, in order to
execute JavaScript code in the context of the web site.
[severity:2/4; BID-65099, CVE-2013-6725, PM98132]
An attacker can send malicious XML data to the XML Parser, in
order to trigger a denial of service. [severity:2/4; BID-65096,
CVE-2013-6325, PM99450]
An attacker can trigger a Cross Site Scripting in Administration
Console, in order to execute JavaScript code in the context of the
web site. [severity:2/4; CVE-2013-6323, PI04777, PI04880]
An attacker can send malicious SSLv2 messages to applications
using IBM GSKit, in order to trigger a denial of service
(VIGILANCE-VUL-14155 (https://vigilance.fr/tree/1/14155?w=66901)).
[severity:2/4; BID-64249, CVE-2013-6329, PI05309]
An attacker can use Full/Liberty Profile, in order to obtain
sensitive information. [severity:2/4; CVE-2014-0823, PI05324]
An attacker can trigger a Cross Site Scripting in Oauth, in order
to execute JavaScript code in the context of the web site.
[severity:2/4; CVE-2013-6738, PI05661]
An attacker can use the Administrative Console, in order to
escalate his privileges. [severity:2/4; CVE-2014-0857, PI07808]
An attacker can use POST queries, in order to trigger a denial of
service. [severity:2/4; CVE-2014-0859, PI08892]
An attacker can send a DAV WRITE query starting by spaces, in
order to trigger a denial of service in mod_dav of Apache HTTP
Server (VIGILANCE-VUL-14439 (https://vigilance.fr/tree/1/14439?w=66901)).
[severity:2/4; CERTFR-2014-AVI-131, CVE-2013-6438, PI09345]
An attacker can send malicious SSL/TLS messages to applications
using IBM GSKit, in order to trigger a denial of service
(VIGILANCE-VUL-14158 (https://vigilance.fr/tree/1/14158?w=66901)).
[severity:2/4; CVE-2013-6747, PI09443]
An attacker can use Proxy and ODR, in order to obtain sensitive
information. [severity:1/4; CVE-2014-0892, PI09786]
An attacker can use Liberty Profile, in order to obtain sensitive
information. [severity:2/4; CVE-2014-0896, PI10134]
An attacker can use a long Content-Type header, to generate an
infinite loop in Apache Commons FileUpload or Apache Tomcat, in
order to trigger a denial of service (VIGILANCE-VUL-14183).
[severity:2/4; BID-65400, CVE-2014-0050, PI12648, PI12926, PI13162]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WebSphere-8-5-multiple-vulnerabilities-14684
