CVE-2022-25224
https://notcve.org/view.php?id=CVE-2022-25224
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands. Proton versión v0.2.0, permite a un atacante crear un enlace malicioso dentro de un archivo markdown. Cuando la víctima hace clic en el enlace, la aplicación abre el sitio en el marco actual permitiendo a un atacante alojar código JavaScript en el enlace malicioso para desencadenar un ataque de tipo XSS. • https://fluidattacks.com/advisories/lennon • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-7272 – Optergy 2.3.0a - Username Disclosure
https://notcve.org/view.php?id=CVE-2019-7272
Optergy Proton/Enterprise devices allow Username Disclosure. Los dispositivos Optergy Proton/Enterprise permiten la divulgación del nombre de usuario. • https://www.exploit-db.com/exploits/47640 http://packetstormsecurity.com/files/155259/Optergy-BMS-2.0.3a-Account-Reset-Username-Disclosure.html http://www.securityfocus.com/bid/108686 https://applied-risk.com/labs/advisories https://www.applied-risk.com/resources/ar-2019-008 • CWE-862: Missing Authorization •
CVE-2019-7273 – Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
https://notcve.org/view.php?id=CVE-2019-7273
Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF). Los dispositivos Optergy Proton/Enterprise permiten Cross-Site Request Forgery (CSRF). Optergy Proton/Enterprise BMS versions 2.0.3a and below suffer from an add administrator cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/47639 http://packetstormsecurity.com/files/155265/Optergy-Proton-Enterprise-BMS-2.0.3a-Cross-Site-Request-Forgery.html http://www.securityfocus.com/bid/108686 https://applied-risk.com/labs/advisories https://www.applied-risk.com/resources/ar-2019-008 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-7274 – Optergy 2.3.0a - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-7274
Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root. Los dispositivos Optergy Proton / Enterprise permiten la carga de archivos autenticados con la ejecución de código como root. • https://www.exploit-db.com/exploits/47636 http://packetstormsecurity.com/files/155269/Optergy-2.3.0a-Remote-Root.html http://www.securityfocus.com/bid/108686 https://applied-risk.com/labs/advisories https://www.applied-risk.com/resources/ar-2019-008 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-7275 – Optergy Proton/Enterprise BMS 2.3.0a Open Redirect
https://notcve.org/view.php?id=CVE-2019-7275
Optergy Proton/Enterprise devices allow Open Redirect. Los dispositivos Optergy Proton/Enterprise permiten una redirección abierta. Optergy Proton/Enterprise BMS versions 2.3.0a and below suffer from an open redirect vulnerability. • http://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html http://www.securityfocus.com/bid/108686 https://applied-risk.com/labs/advisories https://www.applied-risk.com/resources/ar-2019-008 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •