Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class.

Remediation

References

CVE-2013-2133

Related Vulnerabilities

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-26594)

WordPress Plugin Ad Inserter-Ad Manager & AdSense Ads Cross-Site Scripting (1.5.5)

Ruby on Rails Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-8264)

WordPress Plugin Abstract Submission Local File Inclusion (0.6)

WordPress Plugin Clicky by Yoast Multiple Cross-Site Scripting Vulnerabilities (1.5)

Severity

Medium

Classification

CVE-2013-2133 CWE-264

Tags

Missing Update Known Vulnerabilities