CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23451
https://notcve.org/view.php?id=CVE-2020-23451
15 Sep 2020 — Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function. Spiceworks versiones anteriores a 7.5.00107, está afectada por una vulnerabilidad de tipo CSRF que puede conllevar a una escalada de privilegios por medio de la función "/settings/v1/users" • http://spiceworks.com • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23450
https://notcve.org/view.php?id=CVE-2020-23450
01 Sep 2020 — Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization. Spiceworks versiones anteriores a 7.5.00107 incluyéndola, está afectada por una vulnerabilidad de tipo XSS. Cualquier nombre escrito en la función Custom Groups es vulnerable a los ataques de tipo XSS almacenado, ya que son mostrados en http://127.0.0.1/inventory/groups/ sin saneamiento de la salida • http://spiceworks.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2012-6658 – SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2012-6658
17 Sep 2014 — Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types. Múltiples vulnerabilidades de XSS en SpiceWorks 5.3.75941 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la configuración (1) syslocation, (2) sysc... • https://www.exploit-db.com/exploits/20063 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2012-2956 – SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2012-2956
17 Sep 2014 — SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS. Vulnerabilidad de inyección SQL en SpiceWorks 5.3.75941 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro id hacia api_v2.json. NOTA: esta entrada ha sido dividida por ADT2 debido a diferentes tipos de vu... • https://www.exploit-db.com/exploits/20063 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 7CVE-2014-3740 – SpiceWorks 7.2.00174 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3740
09 Jun 2014 — Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page. Vulnerabilidad de XSS en SpiceWorks anterior a 7.2.00195 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo Summary en una solicitud de ticket en la página del portal. SpiceWorks IT Ticketing System versions prior to 7.2.00195 suffer from mul... • https://packetstorm.news/files/id/126994 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •