汇总 softwareag 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 XXE与SSRF 等安全问题,并影响 软件部署与生产负载 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-66837 | A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware | [email protected] | 6.8 | 0.05% | 2026-01-07 | 2026-01-21 |
| CVE-2025-66838 | In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance | [email protected] | 6.5 | 0.03% | 2026-01-07 | 2026-01-21 |
| CVE-2023-6578 | A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and | [email protected] | 7.3 | 0.05% | 2023-12-07 | 2024-11-21 |
| CVE-2023-0925 | Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port). Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this | [email protected] | 9.8 | 0.20% | 2023-09-06 | 2024-11-21 |
| CVE-2023-39017 | quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur. | [email protected] | 9.8 | 0.64% | 2023-07-28 | 2024-11-21 |
| CVE-2021-40650 | In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set. | [email protected] | 6.5 | 0.16% | 2022-06-14 | 2024-11-21 |
| CVE-2021-40649 | In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the HttpOnly flag set. | [email protected] | 6.5 | 0.19% | 2022-06-14 | 2024-11-21 |
| CVE-2021-33207 | The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. | [email protected] | 9.8 | 2.79% | 2022-04-05 | 2024-11-21 |
| CVE-2021-33523 | MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController. | [email protected] | 7.2 | 1.82% | 2022-03-30 | 2024-11-21 |
| CVE-2021-33581 | MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. This occurs in com.idsscheer.ppmmashup.web.webservice.impl.ZPrestoAdminWebService. | [email protected] | 7.2 | 0.87% | 2022-03-30 | 2024-11-21 |
| CVE-2021-33208 | The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file. | [email protected] | 7.2 | 0.86% | 2022-03-30 | 2024-11-21 |
| CVE-2020-35469 | The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password. | [email protected] | 9.8 | 2.01% | 2020-12-16 | 2024-11-21 |
| CVE-2019-13990 | initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | [email protected] | 9.8 | 13.78% | 2019-07-26 | 2024-11-21 |