softwareag 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
Historical issues mainly involve vendor risk xxe and vendor risk ssrf and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-66837 | A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware | [email protected] | 6.8 | 0.05% | 2026-01-07 | 2026-01-21 |
| CVE-2025-66838 | In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance | [email protected] | 6.5 | 0.03% | 2026-01-07 | 2026-01-21 |
| CVE-2023-6578 | A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and | [email protected] | 7.3 | 0.05% | 2023-12-07 | 2024-11-21 |
| CVE-2023-0925 | Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port). Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this | [email protected] | 9.8 | 0.20% | 2023-09-06 | 2024-11-21 |
| CVE-2023-39017 | quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur. | [email protected] | 9.8 | 0.64% | 2023-07-28 | 2024-11-21 |
| CVE-2021-40650 | In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set. | [email protected] | 6.5 | 0.16% | 2022-06-14 | 2024-11-21 |
| CVE-2021-40649 | In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the HttpOnly flag set. | [email protected] | 6.5 | 0.19% | 2022-06-14 | 2024-11-21 |
| CVE-2021-33207 | The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. | [email protected] | 9.8 | 2.79% | 2022-04-05 | 2024-11-21 |
| CVE-2021-33523 | MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController. | [email protected] | 7.2 | 1.82% | 2022-03-30 | 2024-11-21 |
| CVE-2021-33581 | MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. This occurs in com.idsscheer.ppmmashup.web.webservice.impl.ZPrestoAdminWebService. | [email protected] | 7.2 | 0.87% | 2022-03-30 | 2024-11-21 |
| CVE-2021-33208 | The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file. | [email protected] | 7.2 | 0.86% | 2022-03-30 | 2024-11-21 |
| CVE-2020-35469 | The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password. | [email protected] | 9.8 | 2.01% | 2020-12-16 | 2024-11-21 |
| CVE-2019-13990 | initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | [email protected] | 9.8 | 13.78% | 2019-07-26 | 2024-11-21 |