CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 1CVE-2021-27198 – VisualWare MyConnection Server 11.0b Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-27198
An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system. • https://github.com/rwincey/CVE-2021-27198 http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2021/Feb/81 https://myconnectionserver.visualware.com/download.html https://myconnectionserver.visualware.com/support/newrelease.html https://www.securifera.com/advisories/cve-2021-27198 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27509
https://notcve.org/view.php?id=CVE-2021-27509
In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. En Visualware MyConnection Server versiones anteriores a 11.0b build 5382, cada reporte publicado no está asociado con su propio código de acceso • https://myconnectionserver.visualware.com/support/newrelease.html • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2015-2043 – MyConnection Server 8.2b Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-2043
Multiple cross-site scripting (XSS) vulnerabilities in Visualware MyConnection Server 8.2b allow remote attackers to inject arbitrary web script or HTML via the (1) bt, (2) variable, or (3) et parameter to myspeed/db/historyitem. Múltiples vulnerabilidades de XSS en Visualware MyConnection Server 8.2b permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro (1) bt, (2) variable, o (3) et en myspeed/db/historyitem. MyConnection Server version 8.2b suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/130490/MyConnection-Server-8.2b-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2014-5113
https://notcve.org/view.php?id=CVE-2014-5113
Multiple cross-site scripting (XSS) vulnerabilities in test.php in Visualware MyConnection Server 9.7i allow remote attackers to inject arbitrary web script or HTML via the (1) testtype, (2) ver, (3) cm, (4) map, (5) lines, (6) pps, (7) bpp, (8) codec, (9) provtext, (10) provtextextra, (11) provlink, or (12) duration parameter. Múltiples vulnerabilidades de XSS en test.php en Visualware MyConnection Server 9.7i permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) testtype, (2) ver, (3) cm, (4) map, (5) lines, (6) pps, (7) bpp, (8) codec, (9) provtext, (10) provtextextra, (11) provlink o (12) duration. • http://packetstormsecurity.com/files/127545/MyConnection-Server-MCS-9.7i-Cross-Site-Scripting.html http://treadstonesecurity.blogspot.ca/2014/07/myconnection-server-mcs-reflective-xss.html http://www.securityfocus.com/bid/68793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •