CVE-2020-26549
https://notcve.org/view.php?id=CVE-2020-26549
An issue was discovered in Aviatrix Controller before R5.4.1290. The htaccess protection mechanism to prevent requests to directories can be bypassed for file downloading. Se detectó un problema en Aviatrix Controller versiones anteriores a R5.4.1290. El mecanismo de protección htaccess para impedir peticiones a directorios puede ser omitido para una descarga de archivos • https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix • CWE-552: Files or Directories Accessible to External Parties •
CVE-2020-26548
https://notcve.org/view.php?id=CVE-2020-26548
An issue was discovered in Aviatrix Controller before R5.4.1290. There is an insecure sudo rule: a user exists that can execute all commands as any user on the system. Se detectó un problema en Aviatrix Controller versiones anteriores a R5.4.1290. Se presenta una regla sudo no segura: existe un usuario que puede ejecutar todos los comandos como cualquier usuario en el sistema • https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix •
CVE-2020-13412
https://notcve.org/view.php?id=CVE-2020-13412
An issue was discovered in Aviatrix Controller before 5.4.1204. An API call on the web interface lacked a session token check to control access, leading to CSRF. Se detectó un problema en Aviatrix Controller versiones anteriores a 5.4.1204. Una llamada API en la interfaz web carecía de una comprobación de token de sesión para controlar el acceso, lo que condujo a CSRF. • https://docs.aviatrix.com/HowTos/security_bulletin_article.html#cross-site-request-forgery-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-13413
https://notcve.org/view.php?id=CVE-2020-13413
An issue was discovered in Aviatrix Controller before 5.4.1204. There is a Observable Response Discrepancy from the API, which makes it easier to perform user enumeration via brute force. Se detectó un problema en Aviatrix Controller versiones anteriores a 5.4.1204. Se presenta una Discrepancia de Respuesta Observable desde la API, lo que facilita llevar a cabo la enumeración de usuarios por medio de un ataque de fuerza bruta. • https://docs.aviatrix.com/HowTos/security_bulletin_article.html#observable-response-discrepancy-from-api https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix • CWE-203: Observable Discrepancy •
CVE-2020-13414
https://notcve.org/view.php?id=CVE-2020-13414
An issue was discovered in Aviatrix Controller before 5.4.1204. It contains credentials unused by the software. Se detectó un problema en Aviatrix Controller versiones anteriores a 5.4.1204. Contiene credenciales no utilizadas por el software. • https://docs.aviatrix.com/HowTos/security_bulletin_article.html#clean-up-old-code https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix • CWE-798: Use of Hard-coded Credentials •