CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1401 – Insufficient validation of provided paths in Exago WrImageResource.axd
https://notcve.org/view.php?id=CVE-2022-1401
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00. Una vulnerabilidad de Control de Acceso Inapropiado en la ruta /Exago/WrImageResource.adx usada en Device42 Asset Management Appliance permite a un atacante no autenticado leer archivos confidenciales del servidor con permisos root. Este problema afecta a: Device42 CMDB versiones anteriores a 18.01.00. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1410 – Remote Code Execution in Device42 ApplianceManager console
https://notcve.org/view.php?id=CVE-2022-1410
OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions. Una vulnerabilidad de Inyección de Comandos del Sistema Operativo en el componente db_optimize de Device42 Asset Management Appliance permite a un atacante autenticado ejecutar código remoto en el dispositivo. Este problema afecta: Device42 CMDB versión 18.01.00 y versiones anteriores. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1400 – Hardcoded encryption key IV in Exago WebReportsApi.dll
https://notcve.org/view.php?id=CVE-2022-1400
Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00. Un uso de una vulnerabilidad de Clave Criptográfica Embebida en el archivo WebReportsApi.dll de Exago Web Reports, como es usado en el Device42 Asset Management Appliance, permite a un atacante filtrar los ID de sesión y elevar privilegios. Este problema afecta: Device42 CMDB versiones anteriores a 18.01.00. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1399 – Remote code execution in scheduled tasks component
https://notcve.org/view.php?id=CVE-2022-1399
An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions. Una vulnerabilidad de Inyección o Modificación de Argumentos en el campo de nombre de usuario "Change Secret" usado en el componente Discovery de Device42 CMDB permite a un atacante local ejecutar código arbitrario en el dispositivo con privilegios root. Este problema afecta: Device42 CMDB versión 18.01.00 y versiones anteriores. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2008-4119
https://notcve.org/view.php?id=CVE-2008-4119
Multiple cross-site scripting (XSS) vulnerabilities in CA Service Desk 11.2 and CMDB 11.0 through 11.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "multiple web forms." Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en CA Service Desk v11.2 y CMDB v11.0 hasta v11.2, permite a atacantes remotos inyectar secuencias de comandos web y HTML de su elección a través de vectores no especificados implicando a "múltiples formas web". • http://community.ca.com/blogs/casecurityresponseblog/archive/2008/09/25.aspx http://secunia.com/advisories/32038 http://securityreason.com/securityalert/4318 http://www.securityfocus.com/archive/1/496755/100/0/threaded http://www.securityfocus.com/bid/31412 http://www.securitytracker.com/id?1020949 http://www.vupen.com/english/advisories/2008/2673 https://exchange.xforce.ibmcloud.com/vulnerabilities/45416 https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=186585 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •