CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28485
https://notcve.org/view.php?id=CVE-2021-28485
14 Sep 2023 — In Ericsson Mobile Switching Center Server (MSC-S) before IS 3.1 CP22, the SIS web application allows relative path traversal via a specific parameter in the https request after authentication, which allows access to files on the system that are not intended to be accessible via the web application. En Ericsson Mobile Switching Center Server (MSC-S) anterior a IS 3.1 CP22, la aplicación web SIS permite el Path Traversal a través de un parámetro específico en la solicitud https después de la autenticación, l... • https://www.ericsson.com/en/about-us/security/psirt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46408
https://notcve.org/view.php?id=CVE-2022-46408
29 Jun 2023 — Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability. • https://www.gruppotim.it/it/footer/red-team.html • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46407
https://notcve.org/view.php?id=CVE-2022-46407
29 Jun 2023 — Ericsson Network Manager (ENM), versions prior to 22.2, contains a vulnerability in the REST endpoint “editprofile” where Open Redirect HTTP Header Injection can lead to redirection of the submitted request to domain out of control of ENM deployment. The attacker would need admin/elevated access to exploit the vulnerability • https://www.gruppotim.it/it/footer/red-team.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32570
https://notcve.org/view.php?id=CVE-2021-32570
25 Aug 2022 — In Ericsson Network Manager (ENM) releases before 21.2, users belonging to the same AMOS authorization group can retrieve the data from certain log files. All AMOS users are considered to be highly privileged users in ENM system and all must be previously defined and authorized by the Security Administrator. Those users can access some log’s files, under a common path, and read information stored in the log’s files in order to conduct privilege escalation. En Ericsson Network Manager (ENM) versiones anterio... • https://www.ericsson.com • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28488
https://notcve.org/view.php?id=CVE-2021-28488
08 Mar 2022 — Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role). Users in the same AMOS authorization group can retrieve managed-network data that was not set to be accessible to the entire group (i.e., was only set to be accessible to a subset of that group). Ericsson Network Manager (ENM) antes de la versión 21.2 tiene un comportamiento de control de acceso incorrecto (que sólo a... • https://www.ericsson.com • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-44217
https://notcve.org/view.php?id=CVE-2021-44217
18 Jan 2022 — In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API. En Ericsson CodeChecker versiones hasta 6.18.0, una vulnerabilidad de tipo Cross-site scripting (XSS) Almacenado en el componente comments del visor de informes permite a atacantes remotos inyectar script web o HTML arbitrario por medio de los datos POST J... • https://github.com/Hyperkopite/CVE-2021-44217 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 25%CPEs: 1EXPL: 3CVE-2021-43339 – Ericsson Network Location MPS GMPC21 - Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2021-43339
03 Nov 2021 — In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created. En Ericsson Network Location antes del 2021-07-31, es posible que un atacante autenticado inyecte comandos a través de file_name en la funcionalidad de exportación. Por ejemplo, se podría crear un nuevo usuario administrador. • https://www.exploit-db.com/exploits/50468 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32571
https://notcve.org/view.php?id=CVE-2021-32571
14 Oct 2021 — In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to En los sistemas OSS-RC de la versión 18B y anteriores, durante los procedimientos de migración de da... • https://www.gruppotim.it/it/innovazione/servizi-digitali/cybersecurity/red-team.html • CWE-459: Incomplete Cleanup •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32569
https://notcve.org/view.php?id=CVE-2021-32569
14 Oct 2021 — In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to En los sistemas OSS-RC de la versión 18B y anteriores, las... • https://www.gruppotim.it/it/innovazione/servizi-digitali/cybersecurity/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41391
https://notcve.org/view.php?id=CVE-2021-41391
17 Sep 2021 — In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account takeover. En Ericsson ECM versiones anteriores a 18.0, se observó que el Endpoint del Proveedor de Seguridad en la Sección de Administración de Perfiles de Usuario es vulnerable a un ataque de tipo XSS almacenado por medio de un nombre, conllevando a el secuestro de la sesión y la toma de posesión completa de l... • https://the-it-wonders.blogspot.com/2021/09/ericsson-ecm-enterprise-content.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •