IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 243161.

  

**Summary**

A cross-site scripting vulnerability in InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-47983  
**DESCRIPTION:**   IBM InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243161 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

26 Jan 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-47983: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983)

eCommerce Marketplace Platform CMS version 1.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'pg' is vulnerable to XSS/search?q=&pg=2vo1rf%3cscript%3ealert(1)%3c%2fscript%3ew6fsgPath: /categories/phonesGET parameter 'max_price' is vulnerable to XSS/categories/phones?min_price=2485&max_price=fulkc"><script>alert(1)</script>hpbwmPath: /categories/phonesGET parameter 'min_price' is vulnerable to XSS/categories/phones?min_price=2485i95td%22%3e%3cscript%3ealert(1)%3c%2fscript%3erziag[-] Done

eCommerce Marketplace Platform CMS 1.7 Cross Site Scripting

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

**Microweber contains Cross-site Scripting**

Moderate severity GitHub Reviewed Published Feb 1, 2023 to the GitHub Advisory Database • Updated Feb 2, 2023

GHSA-pj97-r83v-vj7f: Microweber contains Cross-site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606.

@@ -10,10 +10,17 @@

$active\_nav = 'templates';

include\_once ADMIN\_VIEWS\_DIR . DS . 'header.php';

  

$templates = look\_for\_templates();

$valid\_templates = array\_map(function($t) { return $t\['location'\]; }, $templates);

  

/\*\*

\* Changing the client's template

\*/

if (isset($\_GET\['activate\_template'\])) {

if (!in\_array($\_GET\['activate\_template'\], $valid\_templates)) {

exit\_with\_error\_code(403);

}

  

$save = save\_option('selected\_clients\_template', $\_GET\['activate\_template'\]);

  

global $flash;

@@ -28,8 +35,6 @@

  

ps\_redirect(BASE\_URI . 'templates.php');

}

  

$templates = look\_for\_templates();

?>

<div class\="row"\>

<div class\="col-12 col-sm-12 col-lg-12"\>

CVE-2023-0607: Fix XSS when changing template · projectsend/projectsend@698be4a

Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.

**TL;DR**

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

**Practical Implications**

*   Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
*   Using Express.js app.set() to modify views and view cache will no longer change Eta's configuration of views and cache.
    *   However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
*   Eta no longer recognizes the legacy Express.js settings["view options"] property

**Example Code Changes**

// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS:
var eta \= require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta \= require("eta")
app.engine("eta", eta.renderFile)
eta.configure({  views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")

**Commits**

*   Don't use data object for Eta configuration (#214) 5651392

v1.14.2...v2.0.0

CVE-2023-23630: Release Version 2.0.0 · eta-dev/eta

Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7.

@@ -419,7 +419,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat

}

  

// play the song instead of going through all the crap

header('Location: ' . $media\->play\_url('', $player, false, $user\->id, $user\->streamtoken));

header('Location: ' . $media\->play\_url('', $player, false, $user\->id, $user\->streamtoken), true, 303);

  

return null;

}

@@ -459,7 +459,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat

}

  

// play the song instead of going through all the crap

header('Location: ' . $media\->play\_url('', $player, false, $user\->id, $user\->streamtoken));

header('Location: ' . $media\->play\_url('', $player, false, $user\->id, $user\->streamtoken), true, 303);

  

return null;

}

@@ -533,7 +533,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat

if ($type == "song\_preview" && $media instanceof Song\_Preview) {

$media\->stream();

} else {

header('Location: ' . $media\->file);

header('Location: ' . $media\->file, true, 303);

  

return null;

}

CVE-2023-0606: sanitize special characters in action gets · ampache/ampache@d319150

### Impact
XSS attack - anyone using the Express API is impacted

### Patches
The problem has been resolved. Users should upgrade to version 2.0.0.

### Workarounds
Don't pass user supplied data directly to `res.renderFile`. 

### References
_Are there any links users can visit to find out more?_
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

**Package**

npm eta (npm)

**Affected versions**

< 2.0.0

**Patched versions**

2.0.0

**Description**

**Impact**

XSS attack - anyone using the Express API is impacted

**Patches**

The problem has been resolved. Users should upgrade to version 2.0.0.

**Workarounds**

Don't pass user supplied data directly to res.renderFile.

**References**

_Are there any links users can visit to find out more?_  
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

**References**

*   GHSA-xrh7-m5pp-39r6
*   eta-dev/eta@5651392

Last updated

Jan 31, 2023

Reviewed

Jan 31, 2023

Published to the GitHub Advisory Database

Jan 31, 2023

 nebrelbug published to eta-dev/eta

Jan 28, 2023

GHSA-xrh7-m5pp-39r6: XSS Attack with Express API

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS).

CVE-2022-47701

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS) via the URL filtering feature in the router.

CVE-2022-47698

Red Hat Security Advisory 2023-0553-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update  
Advisory ID:       RHSA-2023:0553-01  
Product:           Red Hat JBoss Enterprise Application Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0553  
Issue date:        2023-01-31  
CVE Names:         CVE-2015-9251 CVE-2016-10735 CVE-2017-18214   
                   CVE-2018-14040 CVE-2018-14041 CVE-2018-14042   
                   CVE-2019-8331 CVE-2019-11358 CVE-2020-11022   
                   CVE-2020-11023 CVE-2022-3143 CVE-2022-40149   
                   CVE-2022-40150 CVE-2022-40152 CVE-2022-42003   
                   CVE-2022-42004 CVE-2022-45047 CVE-2022-45693   
                   CVE-2022-46364   
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application  
Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has  
rated this update as having a security impact of Important. A Common  
Vulnerability Scoring System (CVSS) base score, which gives a detailed  
severity rating, is available for each vulnerability from the CVE link(s)  
in the References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 7.4 for RHEL 8 - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java  
applications based on the WildFly application runtime. This release of Red  
Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for  
Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes  
and enhancements. See the Red Hat JBoss Enterprise Application Platform  
7.4.9 Release Notes for information about the most significant bug fixes  
and enhancements included in this release.

Security Fix(es):

* jquery: Prototype pollution in object's prototype leading to denial of  
service, remote code execution, or property injection (CVE-2019-11358)

* jquery: Cross-site scripting via cross-domain ajax requests  
(CVE-2015-9251)

* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent  
attribute  
(CVE-2018-14040)

* jquery: Untrusted code execution via <option> tag in HTML passed to DOM  
manipulation methods (CVE-2020-11023)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter  
method  
(CVE-2020-11022)

* bootstrap: XSS in the data-target attribute (CVE-2016-10735)

* bootstrap: Cross-site Scripting (XSS) in the data-target property of  
scrollspy  
(CVE-2018-14041)

* sshd-common: mina-sshd: Java unsafe deserialization vulnerability  
(CVE-2022-45047)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40152)

* bootstrap: Cross-site Scripting (XSS) in the data-container property of  
tooltip (CVE-2018-14042)

* bootstrap: XSS in the tooltip or popover data-template attribute  
(CVE-2019-8331)

* nodejs-moment: Regular expression denial of service (CVE-2017-18214)

* wildfly-elytron: possible timing attacks via use of unsafe comparator  
(CVE-2022-3143)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS  
(CVE-2022-42003)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* jettison: memory exhaustion via user-supplied XML or JSON data  
(CVE-2022-40150)

* jettison: If the value in map is the map's self, the new new  
JSONObject(map) cause StackOverflowError which may lead to dos  
(CVE-2022-45693)

* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests  
1553413 - CVE-2017-18214 nodejs-moment: Regular expression denial of service  
1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute  
1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy  
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip  
1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute  
1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute  
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection  
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method  
1850004 - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods  
2124682 - CVE-2022-3143 wildfly-elytron: possible timing attacks via use of unsafe comparator  
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data  
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow  
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability  
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability  
2155970 - CVE-2022-45693 jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos

6. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001  
JBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001  
JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001  
JBEAP-23927 - Tracker bug for the EAP 7.4.9 release for RHEL-8  
JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001  
JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001  
JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001  
JBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001  
JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value  
JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001  
JBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001  
JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001  
JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002  
JBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001  
JBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001  
JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003  
JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2  
JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001  
JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001

7. Package List:

Red Hat JBoss EAP 7.4 for RHEL 8:

Source:  
eap7-apache-sshd-2.9.2-1.redhat_00001.1.el8eap.src.rpm  
eap7-elytron-web-1.9.3-1.Final_redhat_00001.1.el8eap.src.rpm  
eap7-hal-console-3.3.16-1.Final_redhat_00001.1.el8eap.src.rpm  
eap7-hibernate-search-5.10.13-3.Final_redhat_00001.1.el8eap.src.rpm  
eap7-ironjacamar-1.5.10-1.Final_redhat_00001.1.el8eap.src.rpm  
eap7-jackson-annotations-2.12.7-1.redhat_00003.1.el8eap.src.rpm  
eap7-jackson-core-2.12.7-1.redhat_00003.1.el8eap.src.rpm  
eap7-jackson-databind-2.12.7-1.redhat_00003.1.el8eap.src.rpm  
eap7-jackson-jaxrs-providers-2.12.7-1.redhat_00003.1.el8eap.src.rpm  
eap7-jackson-modules-base-2.12.7-1.redhat_00003.1.el8eap.src.rpm  
eap7-jackson-modules-java8-2.12.7-1.redhat_00003.1.el8eap.src.rpm  
eap7-javaee-security-soteria-1.0.1-3.redhat_00003.1.el8eap.src.rpm  
eap7-jboss-ejb-client-4.0.49-1.Final_redhat_00001.1.el8eap.src.rpm  
eap7-jboss-jsf-api_2.3_spec-3.0.0-6.SP07_redhat_00001.1.el8eap.src.rpm  
eap7-jboss-jsp-api_2.3_spec-2.0.0-3.Final_redhat_00001.1.el8eap.src.rpm  
eap7-jboss-remoting-5.0.27-1.Final_redhat_00001.1.el8eap.src.rpm  
eap7-jboss-server-migration-1.10.0-24.Final_redhat_00023.1.el8eap.src.rpm  
eap7-jettison-1.5.2-1.redhat_00002.1.el8eap.src.rpm  
eap7-undertow-2.2.22-1.SP3_redhat_00001.1.el8eap.src.rpm  
eap7-wildfly-7.4.9-4.GA_redhat_00003.1.el8eap.src.rpm  
eap7-wildfly-elytron-1.15.16-1.Final_redhat_00001.1.el8eap.src.rpm  
eap7-woodstox-core-6.4.0-1.redhat_00001.1.el8eap.src.rpm

noarch:  
eap7-apache-sshd-2.9.2-1.redhat_00001.1.el8eap.noarch.rpm  
eap7-hal-console-3.3.16-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-hibernate-search-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-hibernate-search-backend-jgroups-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-hibernate-search-backend-jms-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-hibernate-search-engine-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-hibernate-search-orm-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-hibernate-search-serialization-avro-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-common-api-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-common-impl-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-common-spi-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-core-api-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-core-impl-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-deployers-common-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-jdbc-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-ironjacamar-validator-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-jackson-annotations-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-core-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-databind-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-datatype-jdk8-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-datatype-jsr310-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-jaxrs-base-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-jaxrs-json-provider-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-module-jaxb-annotations-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-modules-base-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-jackson-modules-java8-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm  
eap7-javaee-security-soteria-1.0.1-3.redhat_00003.1.el8eap.noarch.rpm  
eap7-javaee-security-soteria-enterprise-1.0.1-3.redhat_00003.1.el8eap.noarch.rpm  
eap7-jboss-ejb-client-4.0.49-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-jboss-jsf-api_2.3_spec-3.0.0-6.SP07_redhat_00001.1.el8eap.noarch.rpm  
eap7-jboss-jsp-api_2.3_spec-2.0.0-3.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-jboss-remoting-5.0.27-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-jboss-server-migration-1.10.0-24.Final_redhat_00023.1.el8eap.noarch.rpm  
eap7-jboss-server-migration-cli-1.10.0-24.Final_redhat_00023.1.el8eap.noarch.rpm  
eap7-jboss-server-migration-core-1.10.0-24.Final_redhat_00023.1.el8eap.noarch.rpm  
eap7-jettison-1.5.2-1.redhat_00002.1.el8eap.noarch.rpm  
eap7-undertow-2.2.22-1.SP3_redhat_00001.1.el8eap.noarch.rpm  
eap7-undertow-server-1.9.3-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-wildfly-7.4.9-4.GA_redhat_00003.1.el8eap.noarch.rpm  
eap7-wildfly-elytron-1.15.16-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-wildfly-elytron-tool-1.15.16-1.Final_redhat_00001.1.el8eap.noarch.rpm  
eap7-wildfly-javadocs-7.4.9-4.GA_redhat_00003.1.el8eap.noarch.rpm  
eap7-wildfly-modules-7.4.9-4.GA_redhat_00003.1.el8eap.noarch.rpm  
eap7-woodstox-core-6.4.0-1.redhat_00001.1.el8eap.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2015-9251  
https://access.redhat.com/security/cve/CVE-2016-10735  
https://access.redhat.com/security/cve/CVE-2017-18214  
https://access.redhat.com/security/cve/CVE-2018-14040  
https://access.redhat.com/security/cve/CVE-2018-14041  
https://access.redhat.com/security/cve/CVE-2018-14042  
https://access.redhat.com/security/cve/CVE-2019-8331  
https://access.redhat.com/security/cve/CVE-2019-11358  
https://access.redhat.com/security/cve/CVE-2020-11022  
https://access.redhat.com/security/cve/CVE-2020-11023  
https://access.redhat.com/security/cve/CVE-2022-3143  
https://access.redhat.com/security/cve/CVE-2022-40149  
https://access.redhat.com/security/cve/CVE-2022-40150  
https://access.redhat.com/security/cve/CVE-2022-40152  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/cve/CVE-2022-45693  
https://access.redhat.com/security/cve/CVE-2022-46364  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9lDHtzjgjWX9erEAQhkgw/9ErQe5kAdnHoGisF2rHzfWS5NoLmISZwP  
fy6ZPNQtLvT3WDJIdZ+/8vgjxvE7AIsA4wgZNpwAEdpICwvMv44MOqOd0xEv1vx3  
YJPkkjHZwLLP6II2KT61djQoQZMgrtRaJC/zI7QaQaG2PMoz1bOvGLRuF23QIOI3  
pw3cxw/Fe0QKSi1ejYcm4HoFu00SkreFB6gFwZGPCYCnx6ZeO/tTtqeqPbQfl4Iv  
inq6c3JCzQr9RY6Phj3LMWMUb9+0POZDr8CqHFZKvpcy6Ue7gyeOOalqff5Esk3h  
BPfI9KoYgE/vb9CqoOq6R4HS9Hl1XaY6hSFJxTmtXiWIatLh4wCMPn0Qc5EbFCpc  
rextHQXuNY0zS8ahZBgbBBgnTcDSvE3knsm75zUtXZArforumjlPWaGCkSbUbWil  
rHXQV4QCTSw7PJtrQI3W0jBAhXzKdWs9KvrJmqho1PEvfblCyGkGQJL3B81tFsw1  
75uyRIw1953wVH08EqYX5pbEOly/pCGKgG3D/kLOffN0AGjSyrxx7OQTeb39SmP2  
wp8H5DmfkC3n9apNsJKoaj2siUo3p8NYptN1sgDCnFxqnsxWTBiekAuasri42x97  
QvGZv27zlf4LhuFkCzRrSMGszrdtr/+P/6JOy5hi+JKo7SuKcvDHI0IcImWq0HBi  
Wb9PIkTxF9A=  
=bqBh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#xss