Search
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-3606 | 1 Redhat | 1 Jboss Application Server | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution. | |||||
| CVE-2011-3609 | 1 Redhat | 1 Jboss Application Server | 2019-12-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. | |||||
| CVE-2013-3734 | 1 Redhat | 1 Jboss Application Server | 2017-11-17 | 6.0 MEDIUM | 6.6 MEDIUM |
| ** DISPUTED ** The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console. | |||||