Vulnerabilities > IBM > Websphere Application Server > 6.1.0.6

DATE CVE VULNERABILITY TITLE RISK
2009-06-25 CVE-2009-0903 Unspecified vulnerability in IBM Websphere Application Server
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted request to a JAX-WS application.
network
low complexity
ibm
7.5
7.5
2009-03-31 CVE-2009-1172 Improper Input Validation vulnerability in IBM Websphere Application Server
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors.
network
low complexity
ibm CWE-20
critical
 10.0
10
2009-03-31 CVE-2009-0892 Improper Authentication vulnerability in IBM Websphere Application Server
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout.
network
low complexity
ibm CWE-287
5.5
5.5
2009-03-25 CVE-2009-0891 Improper Authentication vulnerability in IBM Websphere Application Server
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks.
network
low complexity
ibm CWE-287
5.5
5.5
2009-03-09 CVE-2009-0856 Cross-Site Scripting vulnerability in IBM Websphere Application Server
Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
ibm CWE-79
4.3
4.3
2009-02-10 CVE-2009-0436 Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server
The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere Application Server (WAS), set incorrect permissions for AF_UNIX sockets, which has unknown impact and local attack vectors.
local
low complexity
ibm CWE-264
7.2
7.2
2009-02-10 CVE-2009-0435 Multiple vulnerability in IBM WebSphere Application Server
Unspecified vulnerability in the IBM Asynchronous I/O (aka AIO or libibmaio) library in the Java Message Service (JMS) component in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.17 on AIX 5.3 allows attackers to cause a denial of service (daemon crash) via vectors related to the aio_getioev2 and getEvent methods.
network
low complexity
ibm
5.0
5.0
2009-02-10 CVE-2009-0433 Multiple vulnerability in IBM WebSphere Application Server
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19, when Web Server plug-in content buffering is enabled, allows attackers to cause a denial of service (daemon crash) via unknown vectors, related to a mishandling of client read failures in which clients receive many 500 HTTP error responses and backend servers are incorrectly labeled as down.
network
high complexity
ibm
2.6
2.6
2009-02-10 CVE-2008-4284 Link Following vulnerability in IBM Websphere Application Server
Open redirect vulnerability in the ibm_security_logout servlet in IBM WebSphere Application Server (WAS) 5.1.1.19 and earlier 5.x versions, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage feature.
network
ibm CWE-59
5.8
5.8
2008-09-16 CVE-2008-4111 Unspecified vulnerability in IBM WebSphere Application Server 'FileServing' Feature
Unspecified vulnerability in Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when the FileServing feature is enabled, has unknown impact and attack vectors.
network
ibm
critical
 9.3
9.3