CVE-2018-1000083
https://notcve.org/view.php?id=CVE-2018-1000083
Ajenti version version 2 contains a Improper Error Handling vulnerability in Login JSON request that can result in The requisition leaks a path of the server. This attack appear to be exploitable via By sending a malformed JSON, the tool responds with a traceback error that leaks a path of the server. Ajenti, versión 2, contiene una vulnerabilidad de gestión incorrecta de errores en la petición JSON Login que puede resultar en que la requisición filtre una ruta del servidor. El ataque parece ser explotable ya que, al enviar un JSON mal formado, la herramienta responde con un error de traceback que filtra una ruta del servidor. • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-1000080
https://notcve.org/view.php?id=CVE-2018-1000080
Ajenti version version 2 contains a Insecure Permissions vulnerability in Plugins download that can result in The download of any plugins as being a normal user. This attack appear to be exploitable via By knowing how the requisition is made, and sending it as a normal user, the server, in response, downloads the plugin. La versión 2 de Ajenti contiene una vulnerabilidad de permisos inseguros en la descarga de plugins que puede resultar en la descarga de cualquier plugin como un usuario normal. El ataque parece ser explotable si se sabe cómo se realiza la requisición y, al enviarlo como un usuario normal, el servidor descarga el plugin en respuesta. • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2014-4301
https://notcve.org/view.php?id=CVE-2014-4301
Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page. Múltiples vulnerabilidades de XSS en la función respond_error en routing.py en Eugene Pankov Ajenti anterior a 1.2.21.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO hacia (1) resources.js o (2) resources.css en ajenti:static/, relacionado con la página traceback. • http://secunia.com/advisories/59177 http://www.securityfocus.com/bid/68047 https://github.com/Eugeny/ajenti/commit/d3fc5eb142ff16d55d158afb050af18d5ff09120 https://www.netsparker.com/critical-xss-vulnerabilities-in-ajenti • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-2260
https://notcve.org/view.php?id=CVE-2014-2260
Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality. Vulnerabilidad de XSS en plugins/main/content/js/ajenti.coffee en Eugene Pankov Ajenti 1.2.13 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través del campo command en la funcionalidad Cron. • http://packetstormsecurity.com/files/124804/Ajenti-1.2.13-Cross-Site-Scripting.html http://www.osvdb.org/102174 http://www.securityfocus.com/bid/64982 https://github.com/Eugeny/ajenti/commit/3270fd1d78391bb847b4c9ce37cf921f485b1310 https://github.com/Eugeny/ajenti/issues/233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •