U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:ibm:websphere_application_server:5.1.1.5:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 59 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2013-0542

Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 allows remote attackers to inject arbitrary web script or HTML via crafted field values.

Published: April 24, 2013; 6:28:37 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-2162

The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack.

Published: May 01, 2012; 3:55:02 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2010-3271

Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do.

Published: July 18, 2011; 6:55:00 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2011-1318

Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by accessing a JSP page of an application that is repeatedly stopped and restarted.

Published: March 08, 2011; 4:59:35 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-1316

The Session Initiation Protocol (SIP) Proxy in the HTTP Transport component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (worker thread exhaustion and UDP messaging outage) by sending many UDP messages.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-1315

Memory leak in the messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via network connections associated with a NULL return value from a synchronous JMS receive call.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-1314

The Service Integration Bus (SIB) messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (daemon hang) by performing close operations via network connections to a queue manager.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-1311

The Security component in IBM WebSphere Application Server (WAS) before 7.0.0.15, when a J2EE 1.4 application is used, determines the security role mapping on the basis of the ibm-application-bnd.xml file instead of the intended ibm-application-bnd.xmi file, which might allow remote authenticated users to gain privileges in opportunistic circumstances by requesting a service.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 6.0 MEDIUM
CVE-2011-1309

The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has unspecified impact and attack vectors.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2011-1308

Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-1307

The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173.

Published: March 08, 2011; 4:59:34 PM -0500
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2010-2325

Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

Published: June 18, 2010; 2:30:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2010-2324

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors.

Published: June 18, 2010; 2:30:01 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2010-2323

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT.

Published: June 18, 2010; 2:30:01 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2010-2087

Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Published: May 27, 2010; 3:00:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2010-0770

IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote authenticated users to cause a denial of service (ORB ListenerThread hang) by aborting an SSL handshake.

Published: April 01, 2010; 3:30:00 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2010-0769

IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file.

Published: April 01, 2010; 3:30:00 PM -0400
V3.x:(not available)
V2.0: 1.9 LOW
CVE-2010-0768

Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote attackers to inject arbitrary web script or HTML via the URI.

Published: April 01, 2010; 3:30:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2009-1901

The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has unknown impact and remote attack vectors.

Published: June 03, 2009; 1:00:00 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2009-1900

The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool.

Published: June 03, 2009; 1:00:00 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM