CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2022-34125 – GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin
https://notcve.org/view.php?id=CVE-2022-34125
front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter. GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability. • https://www.exploit-db.com/exploits/51232 https://github.com/InfotelGLPI/cmdb/releases/tag/3.0.3 https://github.com/InfotelGLPI/cmdb/security/advisories/GHSA-wv59-3rv4-vm9f https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1401 – Insufficient validation of provided paths in Exago WrImageResource.axd
https://notcve.org/view.php?id=CVE-2022-1401
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00. Una vulnerabilidad de Control de Acceso Inapropiado en la ruta /Exago/WrImageResource.adx usada en Device42 Asset Management Appliance permite a un atacante no autenticado leer archivos confidenciales del servidor con permisos root. Este problema afecta a: Device42 CMDB versiones anteriores a 18.01.00. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1410 – Remote Code Execution in Device42 ApplianceManager console
https://notcve.org/view.php?id=CVE-2022-1410
OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions. Una vulnerabilidad de Inyección de Comandos del Sistema Operativo en el componente db_optimize de Device42 Asset Management Appliance permite a un atacante autenticado ejecutar código remoto en el dispositivo. Este problema afecta: Device42 CMDB versión 18.01.00 y versiones anteriores. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1400 – Hardcoded encryption key IV in Exago WebReportsApi.dll
https://notcve.org/view.php?id=CVE-2022-1400
Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00. Un uso de una vulnerabilidad de Clave Criptográfica Embebida en el archivo WebReportsApi.dll de Exago Web Reports, como es usado en el Device42 Asset Management Appliance, permite a un atacante filtrar los ID de sesión y elevar privilegios. Este problema afecta: Device42 CMDB versiones anteriores a 18.01.00. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1399 – Remote code execution in scheduled tasks component
https://notcve.org/view.php?id=CVE-2022-1399
An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions. Una vulnerabilidad de Inyección o Modificación de Argumentos en el campo de nombre de usuario "Change Secret" usado en el componente Discovery de Device42 CMDB permite a un atacante local ejecutar código arbitrario en el dispositivo con privilegios root. Este problema afecta: Device42 CMDB versión 18.01.00 y versiones anteriores. • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •