CVSS: 7.5EPSS: 96%CPEs: 1EXPL: 0CVE-2015-1605 – Dell ScriptLogic Asset Manager GetProcessedPackage SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2015-1605
Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manager (aka Quest Workspace Asset Manager) before 9.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) GetClientPackage.aspx or (2) GetProcessedPackage.aspx. Múltiples vulnerabilidades de inyección SQL en Dell ScriptLogic Asset Manager (también conocido como Quest Workspace Asset Manager) anterior a 9.5 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados en (1) GetClientPackage.aspx o (2) GetProcessedPackage.aspx. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell ScriptLogic Asset Manager, also known as Quest Workspace Asset Manager. Authentication is not required to exploit this vulnerability. To exploit this security flaw, an attacker would make a specially crafted web request to a handler named GetProcessedPackage.aspx that is installed as part of this product. An attacker can leverage this vulnerability to execute code under the context of NETWORK SERVICE. • http://www.securityfocus.com/bid/72697 http://www.zerodayinitiative.com/advisories/ZDI-15-048 http://www.zerodayinitiative.com/advisories/ZDI-15-049 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2006-2641
https://notcve.org/view.php?id=CVE-2006-2641
** UNVERIFIABLE ** NOTE: this issue does not contain any verifiable or actionable details. Cross-site scripting (XSS) vulnerability in John Frank Asset Manager (AssetMan) 2.4a and earlier allows remote attackers to inject arbitrary web script or HTML via "any of its input." NOTE: the original disclosure is based on vague researcher claims without vendor acknowledgement; therefore this identifier cannot be linked with any future identifier that identifies more specific vectors. Perhaps this should not be included in CVE. • http://secunia.com/advisories/20285 http://securityreason.com/securityalert/979 http://www.securityfocus.com/archive/1/435139/100/0/threaded http://www.securityfocus.com/bid/18131 http://www.vupen.com/english/advisories/2006/2023 https://exchange.xforce.ibmcloud.com/vulnerabilities/26702 •