CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11292 – Pivotal Ops Manager logs query parameters in tomcat access file
https://notcve.org/view.php?id=CVE-2019-11292
08 Jan 2020 — Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. Pivotal Ops Manager, versiones 2.4.x anteriores a la versión 2.4.27, 2.5.x anteriores a la versión 2.5.24, 2.6.x anteriores a la versión 2.6.16 y 2.7.x anteriores a la versión 2.7.5, registra todos los parámetros de consulta ... • https://pivotal.io/security/cve-2019-11292 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2019-11270 – UAA clients.write vulnerability
https://notcve.org/view.php?id=CVE-2019-11270
05 Aug 2019 — Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. Cloud Foundry UAA versiones anteriores a v73.4.0, contienen una vulnerabilidad en la que un cliente malicioso bajo posesión de la autoridad o el alcance "clients.write" puede omitir las restricciones impuestas a los cl... • https://pivotal.io/security/cve-2019-11270 • CWE-269: Improper Privilege Management CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3790 – Ops Manager uaa client issues tokens after refresh token expiration
https://notcve.org/view.php?id=CVE-2019-3790
06 Jun 2019 — The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources. El Pivotal Ops Manager, versiones 2.2.x anteriores a 2.2.23, 2.3.x versiones anteriores a 2.3.16, 2.4.x versiones anteriores a 2.4.11, y 2.5.x versiones ante... • http://www.securityfocus.com/bid/108512 • CWE-324: Use of a Key Past its Expiration Date CWE-613: Insufficient Session Expiration •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2016-4380 – HP Security Bulletin HPSBGN03637 1
https://notcve.org/view.php?id=CVE-2016-4380
31 Aug 2016 — Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el AdminUI en HPE Operations Manager 9.21.x en versiones anteriores a 9.21.130 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. A potential vulnerability has been identified in the AdminUI of the HP ... • http://www.securityfocus.com/bid/92698 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2016-4373 – HP Security Bulletin HPSBGN03630 1
https://notcve.org/view.php?id=CVE-2016-4373
26 Jul 2016 — The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. El AdminUI en HPE Operations Manager (OM) en versiones anteriores a 9.21.130 en Linux, Unix y Solaris permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado, relacionado con la librería Apache Commons Collections (ACC). A v... • http://www.securityfocus.com/bid/92122 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 88%CPEs: 4EXPL: 6CVE-2014-5073 – VMTurbo Operations Manager 4.6 - 'vmtadmin.cgi' Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-5073
14 Aug 2014 — vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call. vmtadmin.cgi en VMTurbo Operations Manager anterior a 4.6 build 28657 permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en el parámetro fileDate en una llamada DOWN. • https://packetstorm.news/files/id/127864 •
CVSS: 7.5EPSS: 13%CPEs: 2EXPL: 3CVE-2014-3806 – VM Turbo Operations Manager 4.5x - Directory Traversal
https://notcve.org/view.php?id=CVE-2014-3806
21 May 2014 — Directory traversal vulnerability in cgi-bin/help/doIt.cgi in VMTurbo Operations Manager before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the xml_path parameter. Vulnerabilidad de salto de directorio en cgi-bin/help/doIt.cgi en VMTurbo Operations Manager anterior a 4.6 permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en el parámetro xml_path. • https://www.exploit-db.com/exploits/33334 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •