Description

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

Remediation

References

CVE-2014-0035

Related Vulnerabilities

WordPress Plugin WordPress Download Manager Remote Code Execution (2.7.4)

Drupal Improper Input Validation Vulnerability (CVE-2016-9452)

TYPO3 Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2011-4614)

WordPress Plugin WordPress Poll Multiple SQL Injection Vulnerabilities (33.5)

WordPress Possible SQL Injection Vulnerability (0.70 - 3.6.1)

Severity

Medium

Classification

CVE-2014-0035

Tags

Missing Update Known Vulnerabilities