Aggregates CVE and security vulnerability intelligence across all rws-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk xxe and vendor risk ssrf and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-50849 | A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.2 allows a remote authenticated attacker to execute arbitrary JavaScript code. | [email protected] | 4.8 | 0.71% | 2024-11-18 | 2025-10-20 |
| CVE-2024-50848 | An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file. | [email protected] | 6.5 | 7.85% | 2024-11-18 | 2025-10-20 |
| CVE-2024-43025 | An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail. | [email protected] | 6.1 | 0.36% | 2024-09-18 | 2025-03-25 |
| CVE-2024-43024 | Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload. | [email protected] | 6.1 | 0.47% | 2024-09-18 | 2025-03-25 |
| CVE-2022-34270 | An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager. | [email protected] | 9.8 | 0.21% | 2024-02-29 | 2025-04-16 |
| CVE-2022-34269 | An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution. | [email protected] | 8.8 | 3.33% | 2024-02-29 | 2025-04-16 |
| CVE-2022-34268 | An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host. | [email protected] | 9.8 | 0.16% | 2023-12-25 | 2024-11-21 |
| CVE-2022-34267 | An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint. | [email protected] | 9.8 | 78.81% | 2023-12-25 | 2024-11-21 |
| CVE-2023-38357 | Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions. | [email protected] | 5.3 | 4.16% | 2023-08-01 | 2024-11-21 |
| CVE-2005-4548 | SQL injection vulnerability in the "user area" in RWS Statistics Counter before 2.4.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | [email protected] | 7.5 | 0.64% | 2005-12-28 | 2026-04-16 |