CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-5633
https://notcve.org/view.php?id=CVE-2020-5633
Multiple NEC products (Express5800/T110j, Express5800/T110j-S, Express5800/T110j (2nd-Gen), Express5800/T110j-S (2nd-Gen), iStorage NS100Ti, and Express5800/GT110j) where Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied allows remote attackers to bypass authentication and then obtain/modify BMC setting information, obtain monitoring information, or reboot/shut down the vulnerable product via unspecified vectors. Múltiples productos NEC (Express5800/T110j, Express5800/T110j-S, Express5800/T110j (2.a generación), Express5800/T110j-S (2.a generación), iStorage NS100Ti y Express5800/GT110j), donde el firmware del Baseboard Management Controller (BMC) versiones Rev1.09 y anteriores es aplicado, permite a atacantes remotos omitir una autenticación y luego obtener y modificar una información de configuración BMC, conseguir información de monitoreo o reiniciar y apagar el producto vulnerable por medio de vectores no especificados. • https://jpn.nec.com/security-info/secinfo/nv21-002.html https://jvn.jp/en/jp/JVN38752718/index.html https://www.support.nec.co.jp/View.aspx?id=9010108754 • CWE-287: Improper Authentication •
CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-5684
https://notcve.org/view.php?id=CVE-2020-5684
iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate. El cliente iSM desde versiones V5.1 anteriores a V12.1, que se ejecutan en NEC Storage Manager o NEC Storage Manager Express no verifican un certificado de servidor apropiadamente, el cual permite a un atacante de tipo man-in-the-middle espiar una comunicación cifrada o alterar la comunicación por medio de un certificado diseñado • https://jpn.nec.com/security-info/secinfo/nv20-015.html https://jvn.jp/en/jp/JVN10100024/index.html • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 20EXPL: 0CVE-2020-5632
https://notcve.org/view.php?id=CVE-2020-5632
InfoCage SiteShell series (Host type SiteShell for IIS V1.4, V1.5, and V1.6, Host type SiteShell for IIS prior to revision V2.0.0.6, V2.1.0.7, V2.1.1.6, V3.0.0.11, V4.0.0.6, V4.1.0.5, and V4.2.0.1, Host type SiteShell for Apache Windows V1.4, V1.5, and V1.6, and Host type SiteShell for Apache Windows prior to revision V2.0.0.6, V2.1.0.7, V2.1.1.6, V3.0.0.11, V4.0.0.6, V4.1.0.5, and V4.2.0.1) allow authenticated attackers to bypass access restriction and to execute arbitrary code with an elevated privilege via a specially crafted executable files. Serie InfoCage SiteShell (Host type SiteShell para IIS V1.4, V1.5 y V1.6, tipo de Host SiteShell para IIS versiones anteriores a V2.0.0.6, V2.1.0.7, V2.1.1.6, V3. 0.0.11, V4.0.0.6, V4.1.0.5 y V4.2.0.1, tipo de host SiteShell para Apache Windows V1.4, V1.5 y V1.6, y tipo de host SiteShell para Apache Windows anterior a revisión V2.0.0.6, V2.1.0.7, V2.1.1.6, V3.0.0.11, V4.0.0.6, V4.1.0.5 y V4.2.0.1), permiten a atacantes autenticados omitir una restricción de acceso y ejecutar código arbitrario con un privilegio elevado por medio de archivos ejecutables especialmente diseñados • https://jpn.nec.com/infocage/siteshell/everyone_20200918.html https://jvn.jp/en/jp/JVN07426151/index.html •
CVSS: 7.5EPSS: 5%CPEs: 2EXPL: 0CVE-2020-17408 – NEC ExpressCluster ApplyConfig XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-17408
This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. • https://www.support.nec.co.jp/en/View.aspx?id=9510100319 https://www.zerodayinitiative.com/advisories/ZDI-20-1102 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20033
https://notcve.org/view.php?id=CVE-2019-20033
On Aspire-derived NEC PBXes, including all versions of SV8100 devices, a set of documented, static login credentials may be used to access the DIM interface. En On Aspire-derived NEC PBXes, incluidas todas las versiones de dispositivos SV8100, puede ser usado un conjunto de credenciales de inicio de sesión estáticas documentadas para acceder a la interfaz DIM • https://shadytel.su/files/nec_cve.txt • CWE-287: Improper Authentication •