CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2020-14011 – Lansweeper 7.2 - Incorrect Access Control
https://notcve.org/view.php?id=CVE-2020-14011
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features. Lansweeper versiones 6.0.x hasta 7.2.x, presenta una instalación predeterminada en la que la contraseña de administrador está configurada para la cuenta de administrador, a menos que "Built-in admin" sea manualmente desactivado. Esto permite una ejecución de comandos por medio de las funcionalidades Add New Package y Scheduled Deployments Lansweeper version 7.2 has a default admin account enabled which allows for remote code execution. • https://www.exploit-db.com/exploits/48618 http://packetstormsecurity.com/files/158205/Lansweeper-7.2-Default-Account-Remote-Code-Execution.html https://pastebin.com/EUkMx94X https://www.lansweeper.com/knowledgebase/restricting-access-to-the-web-console • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.1EPSS: 31%CPEs: 1EXPL: 1CVE-2019-13462
https://notcve.org/view.php?id=CVE-2019-13462
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection. Lansweeper anterior a la versión 7.1.117.4 permite la inyección SQL no autenticada. • https://www.lansweeper.com/forum/yaf_topics33_Announcements.aspx https://www.nccgroup.trust/uk/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-9264
https://notcve.org/view.php?id=CVE-2015-9264
Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute arbitrary code on the administrator's workstation via a crafted Windows service. Lansweeper en versiones 4.x hasta las 6.x anteriores a la 6.0.0.48 permite que los atacantes ejecuten código arbitrario en la estación de trabajo del administrador mediante un servicio de Windows manipulado. • https://www.lansweeper.com/updates/lansweeper-6-0-0-48-security-update • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-16841 – LanSweeper 6.0.100.75 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16841
LanSweeper 6.0.100.75 has XSS via the description parameter to /Calendar/CalendarActions.aspx. La versión 6.0.100.75 de LanSweeper tiene XSS mediante el parámetro description en /Calendar/CalendarActions.aspx. • https://www.exploit-db.com/exploits/43149 https://www.linkedin.com/pulse/lansweeper-bug-miguel-angel-mendez-oscp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-13706 – Lansweeper 6.0.100.29 XXE Injection
https://notcve.org/view.php?id=CVE-2017-13706
XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705. Vulnerabilidad XEE (XML External Entity) en la funcionalidad de importación de paquetes del módulo deployment en Lansweeper en versiones anteriores a la 6.0.100.67 permite que usuarios autenticados remotos obtengan información sensible, provoquen una denegación de servicio, realicen ataques SSRF (Server-Side Request Forgery), realicen escaneos de puertos internos o provoquen otro impacto no especificado mediante una petición XML. Esta vulnerabilidad también se conoce como bug #572705. Lansweeper version 6.0.100.29 suffers from an XML external entity injection vulnerability. • http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html http://seclists.org/fulldisclosure/2017/Oct/14 https://www.lansweeper.com/changelog.aspx • CWE-611: Improper Restriction of XML External Entity Reference •