CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM » Websphere Commerce » 6.0.0.6 : Security Vulnerabilities

Cpe Name:cpe:/a:ibm:websphere_commerce:6.0.0.6
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1398 601 +Info 2017-07-10 2019-09-30
5.8
None Remote Medium Not required Partial Partial None
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 127385.
2 CVE-2016-6090 DoS 2017-02-01 2019-10-02
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Commerce contains an unspecified vulnerability that could allow disclosure of user personal data, performing of unauthorized administrative operations, and potentially causing a denial of service.
3 CVE-2016-2862 79 XSS 2016-07-03 2019-09-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 before 7.0.0.9 cumulative iFix 3, and 8.0 before 8.0.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
4 CVE-2016-0225 200 +Info 2016-02-29 2019-09-30
4.0
None Remote Low Single system Partial None None
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 allows remote authenticated Commerce Accelerator administrators to obtain sensitive information via unspecified vectors.
5 CVE-2016-0208 284 DoS 2016-03-13 2019-09-30
4.3
None Remote Medium Not required None None Partial
IBM WebSphere Commerce 6.x through 6.0.0.11, 7.x through 7.0.0.9, and 8.x before 8.0.0.3 allows remote attackers to cause a denial of service (order-processing outage) via unspecified vectors.
6 CVE-2015-5009 79 XSS 2016-01-18 2019-09-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through FP11, 6.0 Feature Pack 4, 7.0 through FP9, 7.0 Feature Pack 5 through 8, and 8.0 before 8.0.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
7 CVE-2015-5008 79 XSS 2016-01-18 2019-09-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through FP11, 6.0 Feature Pack 4, 7.0 through FP9, 7.0 Feature Pack 5 through 8, and 8.0 before 8.0.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
8 CVE-2015-5007 352 XSS CSRF 2016-01-14 2019-09-30
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 8 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
9 CVE-2015-0200 200 +Info 2015-05-29 2019-09-30
2.1
None Local Low Not required Partial None None
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x before 7.0.0.8 IF2 allows local users to obtain sensitive database information via unspecified vectors.
10 CVE-2015-0196 Http R.Spl. 2015-06-29 2015-06-29
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11 and 7.0 before 7.0.0.8 Cumulative iFix 2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
11 CVE-2014-6211 200 +Info 2015-05-19 2019-09-30
2.1
None Local Low Not required Partial None None
The command-line scripts in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 2 through 8, when debugging is configured, do not properly restrict the logging of personal data, which allows local users to obtain sensitive information by reading a log file.
12 CVE-2014-4834 DoS 2014-11-05 2019-09-30
4.3
None Remote Medium Not required None None Partial
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
13 CVE-2014-4769 2014-11-05 2019-09-30
4.0
None Remote Low Single system Partial None None
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
14 CVE-2013-2993 287 2013-08-01 2017-08-28
5.8
None Remote Medium Not required Partial Partial None
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.7 does not properly perform authentication for unspecified web services, which allows remote attackers to issue requests in the context of an arbitrary user's active session via unknown vectors.
15 CVE-2013-0566 79 XSS 2013-08-26 2019-09-30
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Accelerator JSPs, (2) Organization Administration Console JSPs, and (3) Administration Console JSPs in WebSphere Commerce Tools in IBM WebSphere Commerce 5.6.1.0 through 5.6.1.5, 6.0.0.0 through 6.0.0.11, and 7.0.0.0 through 7.0.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
16 CVE-2013-0523 200 +Info 2013-06-21 2019-09-30
4.3
None Remote Medium Not required Partial None None
IBM WebSphere Commerce Enterprise 5.6.x through 5.6.1.5, 6.0.x through 6.0.0.11, and 7.0.x through 7.0.0.7 does not use a suitable encryption algorithm for storefront web requests, which allows remote attackers to obtain sensitive information via a padding oracle attack that targets certain UTF-8 processing of the krypto parameter, and leverages unspecified browser access or traffic-log access.
17 CVE-2012-4855 DoS 2013-03-05 2019-09-30
4.3
None Remote Medium Not required None None Partial
Unspecified vulnerability in the web services framework in IBM WebSphere Commerce 6.0 through 6.0.0.11 and 7.0 through 7.0.0.6 allows remote attackers to cause a denial of service (login outage) via unknown vectors.
18 CVE-2012-4830 2012-10-01 2017-08-28
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11 and 7.0 through 7.0.0.6 allows remote attackers to obtain users' personal data via unknown vectors.
19 CVE-2011-3577 287 2011-09-20 2019-09-30
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.3 does not properly implement Activity Token authentication for Web Services, which has unspecified impact and attack vectors.
20 CVE-2010-2635 89 Exec Code Sql 2010-11-09 2017-08-16
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM WebSphere Commerce 6.0 before 6.0.0.10 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters to "Commerce Organization Admin Console JavaServer pages."
21 CVE-2009-2094 +Info 2009-08-13 2017-08-16
1.5
None Local Medium Single system Partial None None
Unspecified vulnerability in IBM WebSphere Commerce 6.0 Enterprise before 6.0.0.8, when trace is enabled, allows local users to obtain sensitive information via unknown vectors.
22 CVE-2008-6973 2009-08-13 2017-08-16
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in IBM WebSphere Commerce 6.0 before 6.0.0.7 have unknown impact and attack vectors.
Total number of vulnerabilities : 22   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.