CVE-2007-6433

high

Description

The getRenderedEjbql method in the org.jboss.seam.framework.Query class in JBoss Seam 2.x before 2.0.0.CR3 allows remote attackers to inject and execute arbitrary EJBQL commands via the order parameter.

References

http://www.vupen.com/english/advisories/2007/4215

http://www.securityfocus.com/bid/26850

http://www.redhat.com/support/errata/RHSA-2008-0213.html

http://www.redhat.com/support/errata/RHSA-2008-0158.html

http://www.redhat.com/support/errata/RHSA-2008-0151.html

http://sourceforge.net/project/shownotes.php?release_id=549490&group_id=22866

http://secunia.com/advisories/28077

http://osvdb.org/42631

Details

Source: Mitre, NVD

Published: 2007-12-18

Updated: 2011-03-08

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L