CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM » Websphere Application Server » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-22365 2022-05-20 2022-06-02
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL server hostnames. IBM X-Force ID: 220904.
2 CVE-2021-39038 1021 2022-02-24 2022-03-03
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968.
3 CVE-2021-29842 307 2021-09-16 2021-09-27
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.
4 CVE-2021-20492 611 2021-05-26 2021-06-04
6.4
None Remote Low Not required Partial None Partial
IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
5 CVE-2021-20454 611 2021-04-21 2021-04-23
6.4
None Remote Low Not required Partial None Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.
6 CVE-2021-20453 611 2021-04-20 2022-05-03
6.4
None Remote Low Not required Partial None Partial
IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.
7 CVE-2021-20353 611 2021-02-10 2021-02-11
6.4
None Remote Low Not required Partial None Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.
8 CVE-2020-5016 22 Dir. Trav. 2021-03-10 2021-03-17
3.5
None Remote Medium ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. When application security is disabled and JAX-RPC applications are present, an attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary xml files on the system. This does not occur if Application security is enabled. IBM X-Force ID: 193556.
9 CVE-2020-4643 611 2020-09-21 2020-09-24
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.
10 CVE-2020-4589 502 Exec Code 2020-08-13 2022-05-03
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 184585.
11 CVE-2020-4576 +Info 2020-10-01 2020-10-08
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 184428.
12 CVE-2020-4575 79 XSS 2020-08-27 2020-08-27
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server ND 8.5 and 9.0, and IBM WebSphere Virtual Enterprise 7.0 and 8.0 are vulnerable to cross-site scripting when High Availability Deployment Manager is configured.
13 CVE-2020-4464 502 Exec Code 2020-07-17 2020-07-22
9.0
None Remote Low ??? Complete Complete Complete
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.
14 CVE-2020-4450 502 Exec Code 2020-06-05 2020-06-09
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231.
15 CVE-2020-4449 200 +Info 2020-06-05 2021-07-21
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230.
16 CVE-2020-4448 502 Exec Code 2020-06-05 2020-06-10
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 181228.
17 CVE-2020-4362 269 2020-04-10 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.
18 CVE-2020-4329 200 +Info 2020-04-28 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.
19 CVE-2020-4276 269 2020-03-26 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984.
20 CVE-2020-4163 269 2020-02-04 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397.
21 CVE-2019-4720 770 DoS 2020-01-31 2020-08-24
5.0
None Remote Low Not required None None Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125.
22 CVE-2019-4670 +Info 2020-02-05 2020-08-24
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319.
23 CVE-2019-4505 +Info 2019-09-20 2020-08-24
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Network Deployment could allow a remote attacker to obtain sensitive information, caused by sending a specially-crafted URL. This can lead the attacker to view any file in a certain directory. IBM X-Force ID: 164364.
24 CVE-2019-4477 269 +Info 2019-09-17 2020-08-24
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options. IBM X-Force ID: 163997.
25 CVE-2019-4442 22 Dir. Trav. 2019-09-17 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content. IBM X-Force ID: 163226.
26 CVE-2019-4279 502 Exec Code 2019-05-17 2019-05-24
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
27 CVE-2019-4271 20 2019-09-17 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability. IBM X-Force ID: 160243.
28 CVE-2019-4270 79 XSS 2019-09-17 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160203.
29 CVE-2019-4269 209 +Info 2019-06-28 2020-08-24
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console could allow a remote attacker to obtain sensitive information when a specially crafted url causes a stack trace to be dumped. IBM X-Force ID: 160202.
30 CVE-2019-4268 22 Dir. Trav. 2019-09-17 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 160201.
31 CVE-2019-4080 400 DoS 2019-04-02 2019-10-09
6.8
None Remote Low ??? None None Complete
IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper parameter parsing. A remote attacker could exploit this to consume all available CPU resources. IBM X-Force ID: 157380.
32 CVE-2019-4046 400 DoS 2019-03-25 2019-10-09
5.0
None Remote Low Not required None None Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242.
33 CVE-2019-4030 79 XSS 2019-03-06 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 155946.
34 CVE-2018-1996 327 +Info 2019-02-19 2020-08-24
3.5
None Remote Medium ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 154650.
35 CVE-2018-1957 200 +Info 2018-12-10 2019-10-09
2.1
None Local Low Not required Partial None None
IBM WebSphere Application Server 9 could allow sensitive information to be available caused by mishandling of data by the application based on an incorrect return by the httpServletRequest#authenticate() API when an unprotected URI is accessed. IBM X-Force ID: 153629.
36 CVE-2018-1926 352 CSRF 2018-12-12 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a remote attacker could send a specially-crafted request. An attacker could exploit this vulnerability to perform CSRF attack and update available applications. IBM X-Force ID: 152992.
37 CVE-2018-1905 611 2018-11-26 2019-10-09
5.5
None Remote Low ??? Partial None Partial
IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534.
38 CVE-2018-1904 502 Exec Code 2018-12-11 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533.
39 CVE-2018-1902 200 +Info 2019-03-11 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to spoof connection information which could be used to launch further attacks against the system. IBM X-Force ID: 152531.
40 CVE-2018-1901 +Priv 2018-12-12 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used. IBM X-Force ID: 152530.
41 CVE-2018-1840 668 +Priv 2018-12-03 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to gain elevated privileges on the system, caused when a security domain is configured to use a federated repository other than global federated repository and then migrated to a newer release of WebSphere Application Server. IBM X-Force ID: 150813.
42 CVE-2018-1798 79 XSS 2018-11-12 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 149428.
43 CVE-2018-1797 22 Dir. Trav. 2018-11-16 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip". IBM X-Force ID: 149427.
44 CVE-2018-1794 79 XSS 2018-10-03 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148949.
45 CVE-2018-1777 79 XSS 2018-10-16 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148800.
46 CVE-2018-1770 22 Dir. Trav. 2018-10-12 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148686.
47 CVE-2018-1767 79 XSS 2018-10-29 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148621.
48 CVE-2018-1719 2018-09-14 2020-08-24
4.3
None Remote Medium Not required Partial None None
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security under certain conditions. This could result in a downgrade of TLS protocol. A remote attacker could exploit this vulnerability to perform man-in-the-middle attacks. IBM X-Force ID: 147292.
49 CVE-2018-1643 79 XSS 2018-11-15 2019-10-09
4.3
None Remote Medium Not required None Partial None
The Installation Verification Tool of IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 144588
50 CVE-2018-1567 502 Exec Code 2018-09-07 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.
Total number of vulnerabilities : 103   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.