Page 2 of 8 results (0.006 seconds)

CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system. Dell EMC Data Protection Advisor versiones 6.3, 6.4, 6.5, 18.2 anteriores al parche 83 y las versiones 19.1 anteriores al parche 71 contiene una vulnerabilidad de falta de autorización del servidor en la API REST. Un usuario malicioso autenticado remoto con privilegios administrativos puede explotar esta vulnerabilidad para alterar la lista permitida de comandos de Sistema Operativo de la aplicación. • https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities • CWE-862: Missing Authorization •

CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request. Dell EMC Data Protection Advisor, en versiones 6.2, 6,3, 6.4 y 6.5 y Dell EMC Integrated Data Protection Appliance (IDPA) en versiones 2.0 y 2.1 contienen una vulnerabilidad de inyección XEE (XML External Entity) en la API REST. Un usuario autenticado remoto malicioso podría explotar esta vulnerabilidad para leer ciertos archivos del sistema en el servidor o provocar una denegación de servicio (DoS) proporcionando DTD (Document Type Definition) especialmente manipulados en una petición XML. • http://seclists.org/fulldisclosure/2018/Aug/5 http://www.securityfocus.com/bid/105130 http://www.securitytracker.com/id/1041417 • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

EMC Data Protection Advisor 6.1.x, EMC Data Protection Advisor 6.2, EMC Data Protection Advisor 6.2.1, EMC Data Protection Advisor 6.2.2, EMC Data Protection Advisor 6.2.3 prior to patch 446 has a path traversal vulnerability that may potentially be exploited by malicious users to compromise the affected system. EMC Data Protection Advisor 6.1.x, EMC Data Protection Advisor 6.2, EMC Data Protection Advisor 6.2.1, EMC Data Protection Advisor 6.2.2, EMC Data Protection Advisor 6.2.3 anterior al parche 446 tiene una vulnerabilidad de salto de ruta que puede ser potencialmente explotada por usuarios malintencionados para comprometer el sistema afectado. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of EMC Data Protection Advisor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ImageServlet servlet which listens on TCP ports 9002 and 9004. The issue lies in the failure to properly validate a user-supplied path prior to using it in file operations. • http://www.securityfocus.com/archive/1/540067/30/0/threaded http://www.securityfocus.com/bid/95833 http://www.securitytracker.com/id/1037729 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •