CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2020-24650 – Hewlett Packard Enterprise Intelligent Management Center legend Expression Language Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-24650
A legend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). Se detectó una vulnerabilidad de ejecución de código remota de una inyección de lenguaje de expresiones de legend en HPE Intelligent Management Center (iMC): versión(es): anteriores a iMC PLAT 7.3 (E0705P07) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the legend.xhtml endpoint. When parsing the beanName parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2020-24651 – Hewlett Packard Enterprise Intelligent Management Center SyslogTempletSelectWin Expression Language Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-24651
A syslogtempletselectwin expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). Se detectó una vulnerabilidad de ejecución de código remota de una inyección de lenguaje de expresiones de syslogtempletselectwin en HPE Intelligent Management Center (iMC): versión(es): anteriores a iMC PLAT 7.3 (E0705P07) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the SyslogTempletSelectWin.xhtml endpoint. When parsing the beanName parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2020-7143 – Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet Expression Language Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-7143
A faultdevparasset expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). Se detectó una vulnerabilidad de ejecución de código remota de una inyección de lenguaje de expresiones de failuredevparasset en HPE Intelligent Management Center (iMC): versión(es): anteriores a iMC PLAT 7.3 (E0705P07) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the faultDevParasSet.xhtml endpoint. When parsing the beanName parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2020-7142 – Hewlett Packard Enterprise Intelligent Management Center eventInfo_content Expression Language Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-7142
A eventinfo_content expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). Se detectó una vulnerabilidad de ejecución de código remota de una inyección de lenguaje de expresiones de eventinfo_content en HPE Intelligent Management Center (iMC): versión(es): anteriores a iMC PLAT 7.3 (E0705P07) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the eventInfo_content.xhtml endpoint. When parsing the beanName parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 0CVE-2019-11984
https://notcve.org/view.php?id=CVE-2019-11984
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. Se ha identificado una vulnerabilidad de ejecución de código de inyección SQL en HPE Intelligent Management Center (IMC) PLAT anterior a la versión 7.3 E0506P09. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •