CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35482
https://notcve.org/view.php?id=CVE-2021-35482
21 Jul 2021 — An issue was discovered in Barco MirrorOp Windows Sender before 2.5.4.70. An attacker in the local network is able to achieve Remote Code Execution (with user privileges of the local user) on any device that tries to connect to a WePresent presentation system. Se ha detectado un problema en Barco MirrorOp Windows Sender versiones anteriores a 2.5.4.70. Un atacante en la red local es capaz de lograr una Ejecución de Código Remota (con privilegios del usuario local) en cualquier dispositivo que intente conect... • https://www.barco.com/en/support/software/R33050099?majorVersion=2&minorVersion=5&patchVersion=4&buildVersion=70 •
CVSS: 7.2EPSS: 4%CPEs: 5EXPL: 0CVE-2020-17504
https://notcve.org/view.php?id=CVE-2020-17504
08 Jan 2021 — The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in ngpsystemcmd.php in which the http parameters "x_modules" and "y_modules" are not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. El NDN-210 presenta un panel de administració... • https://www.barco.com/en/support/cms • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 4%CPEs: 5EXPL: 0CVE-2020-17503
https://notcve.org/view.php?id=CVE-2020-17503
08 Jan 2021 — The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter "locking" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. El NDN-210 presenta un panel de administración web que está dis... • https://www.barco.com/en/support/cms • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 4%CPEs: 5EXPL: 0CVE-2020-17502
https://notcve.org/view.php?id=CVE-2020-17502
08 Jan 2021 — Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm ... • https://www.barco.com/en/support/cms • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 4%CPEs: 5EXPL: 0CVE-2020-17500
https://notcve.org/view.php?id=CVE-2020-17500
07 Jan 2021 — Barco TransForm NDN-210 Lite, NDN-210 Pro, NDN-211 Lite, and NDN-211 Pro before 3.8 allows Command Injection (issue 1 of 4). The NDN-210 has a web administration panel which is made available over https. The logon method is basic authentication. There is a command injection issue that will result in unauthenticated remote code execution in the username and password fields of the logon prompt. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards. • https://www.barco.com/en/support/cms • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-28331 – Barco wePresent Undocumented SSH Interface
https://notcve.org/view.php?id=CVE-2020-28331
20 Nov 2020 — Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. • https://packetstorm.news/files/id/160162 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2020-28332 – Barco wePresent Insecure Firmware Image
https://notcve.org/view.php?id=CVE-2020-28332
20 Nov 2020 — Barco wePresent WiPG-1600W devices download code without an Integrity Check. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W firmware does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images. Los dispositivos Barco wePresent WiPG-1600W descargan el código sin una Comprobación de Integridad. Versiones afectadas: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. • https://packetstorm.news/files/id/160164 • CWE-494: Download of Code Without Integrity Check •
CVSS: 10.0EPSS: 13%CPEs: 5EXPL: 3CVE-2020-28334 – Barco wePresent Global Hardcoded Root SSH Password
https://notcve.org/view.php?id=CVE-2020-28334
20 Nov 2020 — Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell. Los dispositivos Barco wePresent WiPG-1600W utilizan Credenciales Embebidas (problem... • https://packetstorm.news/files/id/160163 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 3CVE-2020-28329 – Barco wePresent Hardcoded API Credentials
https://notcve.org/view.php?id=CVE-2020-28329
20 Nov 2020 — Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. El firmware Barco wePresent WiPG-1600W incluye una cuenta y contraseña de API embebidas que se pueden detectar al inspeccionar la imagen del firmware. Un actor malicioso podría usar esta contraseña para acc... • https://packetstorm.news/files/id/160159 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2CVE-2020-28330 – Barco wePresent Admin Credential Exposure
https://notcve.org/view.php?id=CVE-2020-28330
20 Nov 2020 — Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device. Los dispositivos Barco wePresent WiPG-1600W presentan un Transporte de Credenciales No Protegidas. Versión (s) afectada (s): 2.5.1.8. • https://packetstorm.news/files/id/160160 • CWE-522: Insufficiently Protected Credentials •