CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 2CVE-2023-36255 – Eramba 3.19.1 Remote Command Execution
https://notcve.org/view.php?id=CVE-2023-36255
01 Aug 2023 — An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL. Eramba version 3.19.1 suffers from a remote command execution vulnerability. • https://packetstorm.news/files/id/173888 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43342
https://notcve.org/view.php?id=CVE-2022-43342
14 Nov 2022 — A stored cross-site scripting (XSS) vulnerability in the Add function of Eramba GRC Software c2.8.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the KPI Title text field. Una vulnerabilidad de cross-site scripting (XSS) almacenadas en la función Agregar de Eramba GRC Software c2.8.1 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo de texto Título del KPI. • https://discussions.eramba.org/t/question-stored-xss-vulnerability/2326 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28031
https://notcve.org/view.php?id=CVE-2020-28031
30 Oct 2020 — eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users. eramba versiones hasta c2.8.1, permite una inyección de encabezado HTTP Host con (por ejemplo) una impresión de PDF wkhtml2pdf resultante por parte de usuarios autenticados • https://discussions.eramba.org/t/bug-injectable-host-header-security-issue/1719 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2020-25104
https://notcve.org/view.php?id=CVE-2020-25104
03 Sep 2020 — eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by the .png extension. eramba versión c2.8.1 y Enterprise versiones anteriores a e2.19.3, permiten un ataque de tipo XSS por medio de un nombre de archivo diseñado para un archivo adjuntado en un objeto. Por ejemplo, el nombre de archivo presenta una carga útil XSS completa seguida de la extensión .png • https://discussions.eramba.org/t/bug-security-vulnerabilities-not-serious/1650 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25105
https://notcve.org/view.php?id=CVE-2020-25105
03 Sep 2020 — eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities). eramba versión c2.8.1 y Enterprise versiones anteriores a e2.19.3, presentan un token de recuperación de contraseña débil (createHash posee solo un millón de posibilidades) • https://discussions.eramba.org/t/bug-security-vulnerabilities-not-serious/1650/2 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7996
https://notcve.org/view.php?id=CVE-2018-7996
09 Mar 2018 — Eramba e1.0.6.033 has Stored XSS on the tooltip box via the /programScopes description parameter. Eramba e1.0.6.033 tiene Cross-Site Scripting (XSS) persistente en el cuadro tooltip mediante el parámetro /programScopes. • https://medium.com/stolabs/security-issues-on-eramba-cf887bc0a069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7997
https://notcve.org/view.php?id=CVE-2018-7997
09 Mar 2018 — Eramba e1.0.6.033 has Reflected XSS on the Error page of the CSV file inclusion tab of the /importTool/preview URI, with a CSV file polluted with malicious JavaScript. Eramba e1.0.6.033 tiene Cross-Site Scripting (XSS) reflejado en la página de error de las pestaña de inclusión de archivos CSV del URI /importTool/preview, con un archivo CSV contaminado con JavaScript malicioso. • https://medium.com/stolabs/security-issues-on-eramba-cf887bc0a069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7894
https://notcve.org/view.php?id=CVE-2018-7894
09 Mar 2018 — Eramba e1.0.6.033 has Reflected XSS in reviews/filterIndex/ThirdPartyRiskReview via the advanced_filter parameter (aka the Search Parameter). Eramba e1.0.6.033 tiene Cross-Site Scripting (XSS) reflejado en reviews/filterIndex/ThirdPartyRiskReview mediante el parámetro advanced_filter (también conocido como parámetro de búsqueda). • https://medium.com/stolabs/security-issues-on-eramba-cf887bc0a069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7741
https://notcve.org/view.php?id=CVE-2018-7741
07 Mar 2018 — Eramba e1.0.6.033 has Reflected XSS in the Date Filter via the created parameter to the /crons URI. Eramba e1.0.6.033 tiene Cross-Site Scripting (XSS) reflejado en Date Filter mediante el parámetro created en el URI /crons. • https://medium.com/stolabs/security-issues-on-eramba-cf887bc0a069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •