CVE-2021-43271
https://notcve.org/view.php?id=CVE-2021-43271
Riverbed AppResponse 11.8.0, 11.8.5, 11.8.5a, 11.9.0, 11.9.0a, 11.10.0, 11.11.0, 11.11.0a, 11.11.1, 11.11.1a, 11.11.5, and 11.11.5a (when configured to use local, RADIUS, or TACACS authentication) logs usernames and passwords if either is entered incorrectly. If a user enters an incorrect username and/or password when logging into the WebUI, these attempted credentials are included in an error message that is logged in the WebUI log file. A log entry does not appear if the username and password provided correctly match a valid set of credentials. This also does not happen if AppResponse is configured to use SAML authentication. The WebUI log file is included in subsequent diagnostic system dumps that are generated. • https://supportkb.riverbed.com/support/index?page=content&id=S35806 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-42854 – Directory Traversal Read/Write/Delete at PluginServlet
https://notcve.org/view.php?id=CVE-2021-42854
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el PluginServlet del agente de muestreo dinámico (DSA) de SteelCentral AppInternals presenta vulnerabilidades de salto de directorio en la API "/api/appInternals/1.0/plugin/pmx". El endpoint afectado no presenta ninguna comprobación de la entrada del usuario que permite inyectar una carga útil maliciosa • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Read-Write-Delete-at-PluginServlet-CVE-2021-42854 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-42856 – Reflected Cross-site Scripting at DsaDataTest
https://notcve.org/view.php?id=CVE-2021-42856
It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability. Se ha detectado que el endpoint /DsaDataTest es susceptible de sufrir un ataque de tipo cross-site scripting (XSS). Se ha detectado que el parámetro Metric no presenta ninguna comprobación de entrada en la entrada del usuario que permite a un atacante elaborar su propia carga útil maliciosa para desencadenar una vulnerabilidad de tipo XSS • https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42787 – Directory Traversal Write/Delete/Partial Read at AgentConfigurationServlet
https://notcve.org/view.php?id=CVE-2021-42787
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentConfigurationServlet de SteelCentral AppInternals presenta vulnerabilidades salto de directorio en la API "/api/appInternals/1.0/agent/configuration". El endpoint afectado no presenta ninguna comprobación de la entrada del usuario que permite inyectar una carga útil maliciosa • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-42857 – Directory Traversal Partial Write at AgentDaServlet
https://notcve.org/view.php?id=CVE-2021-42857
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API. The affected endpoint does not have any validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentDaServlet de SteelCentral AppInternals presenta vulnerabilidades de salto de directorio en la API "/api/appInternals/1.0/agent/da/pcf". El endpoint afectado no comprueba la entrada del usuario, lo que permite inyectar una carga maliciosa • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Partial-Write-at-AgentDaServlet-CVE-2021-42857 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •