CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2024-1198 – openBI Phar User.php addxinzhi deserialization
https://notcve.org/view.php?id=CVE-2024-1198
A vulnerability, which was classified as critical, was found in openBI up to 6.0.3. Affected is the function addxinzhi of the file application/controllers/User.php of the component Phar Handler. The manipulation of the argument outimgurl leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://note.zhaoj.in/share/qFXZZfp1NLa3 https://vuldb.com/?ctiid.252696 https://vuldb.com/?id.252696 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1117 – openBI Screen.php index code injection
https://notcve.org/view.php?id=CVE-2024-1117
A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argument fileurl leads to code injection. The attack can be launched remotely. • https://note.zhaoj.in/share/Liu1nbjddxu4 https://vuldb.com/?ctiid.252475 https://vuldb.com/?id.252475 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1116 – openBI Upload.php index unrestricted upload
https://notcve.org/view.php?id=CVE-2024-1116
A vulnerability was found in openBI up to 1.0.8. It has been classified as critical. Affected is the function index of the file /application/plugins/controller/Upload.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. • https://note.zhaoj.in/share/uCElTQRGWVyw https://vuldb.com/?ctiid.252474 https://vuldb.com/?id.252474 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1115 – openBI Setting.php dlfile os command injection
https://notcve.org/view.php?id=CVE-2024-1115
A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function dlfile of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://note.zhaoj.in/share/81JmiyogcYL7 https://vuldb.com/?ctiid.252473 https://vuldb.com/?id.252473 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1114 – openBI Screen.php dlfile access control
https://notcve.org/view.php?id=CVE-2024-1114
A vulnerability has been found in openBI up to 1.0.8 and classified as critical. This vulnerability affects the function dlfile of the file /application/index/controller/Screen.php. The manipulation of the argument fileUrl leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://note.zhaoj.in/share/9wv48TygKRxo https://vuldb.com/?ctiid.252472 https://vuldb.com/?id.252472 • CWE-284: Improper Access Control •