Actu
Vigil@nce - IBM WebSphere AS 7.0: multiple vulnerabilities
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of WebSphere AS 7.0.
Impacted products: WebSphere AS
Severity: 2/4
Creation date: 13/01/2014
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in WebSphere AS 7.0.
An attacker can trigger a Cross Site Scripting in the
Administrative Console, in order to execute JavaScript code in the
context of the web site. [severity:2/4; BID-61901, CVE-2013-4005,
PM88208]
An attacker can trigger a Cross Site Scripting in the
Administration Console, in order to execute JavaScript code in the
context of the web site. [severity:2/4; BID-63778, CVE-2013-5418,
PM96477]
When an attacker can transmit data to compress by bzip2 to Apache
Ant or Apache Commons Compress, he can create a denial of service
(VIGILANCE-VUL-11654 (https://vigilance.fr/tree/1/11654?w=66901)).
[severity:1/4; BID-53676, CVE-2012-2098, PM90088]
An attacker can send malicious XML data to the XML Parser, in
order to trigger a denial of service. [severity:2/4; BID-65096,
CVE-2013-6325, PM99450]
An attacker can trigger a Cross Site Scripting in UDDI
Administrative Console, in order to execute JavaScript code in the
context of the web site. [severity:2/4; BID-62336, CVE-2013-4052,
PM91892]
An attacker can use special characters, which are not filtered by
mod_rewrite of Apache httpd 2.2, in order to inject them in the
log file (VIGILANCE-VUL-12790 (https://vigilance.fr/tree/1/12790?w=66901)).
[severity:2/4; CVE-2013-1862, PM87808]
An attacker can send a MERGE query for mod_dav of Apache HTTP
Server, in order to trigger a denial of service
(VIGILANCE-VUL-13117 (https://vigilance.fr/tree/1/13117?w=66901)).
[severity:2/4; CVE-2013-1896, PM89996]
An attacker can escalate his privileges during the migration.
[severity:2/4; BID-63781, CVE-2013-5414, PM92313]
An attacker can trigger a Cross Site Scripting, in order to
execute JavaScript code in the context of the web site.
[severity:2/4; BID-65099, CVE-2013-6725, PM98132]
An attacker can trigger a Cross Site Scripting, in order to
execute JavaScript code in the context of the web site.
[severity:2/4; BID-63780, CVE-2013-5417, PM93323, PM93944]
An attacker can use simpleFileServlet, in order to obtain
sensitive information. [severity:2/4; BID-65100, CVE-2013-6330,
PM98624]
An unknown vulnerability was announced in WS-SECURITY XML Digital
Signature. [severity:2/4; BID-62338, CVE-2013-4053, PM90949,
PM91521]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-WebSphere-AS-7-0-multiple-vulnerabilities-14057
