CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-35050 – User Credentials Stored in a Recoverable Format within Fidelis Network and Deception
https://notcve.org/view.php?id=CVE-2021-35050
25 Jun 2021 — User credentials stored in a recoverable format within Fidelis Network and Deception CommandPost. In the event that an attacker gains access to the CommandPost, these values could be decoded and used to login to the application. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.3. This vulnerability has been addressed in version 9.3.3 and subsequent versions. Unas credenciales de usuarios almacenadas en un formato recuperable dentro de Fidelis Network and Deception CommandP... • https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies • CWE-257: Storing Passwords in a Recoverable Format CWE-522: Insufficiently Protected Credentials •
CVSS: 9.9EPSS: 1%CPEs: 4EXPL: 1CVE-2021-35047 – Privileged Command Injection Vulnerability in Fidelis Network and Deception
https://notcve.org/view.php?id=CVE-2021-35047
25 Jun 2021 — Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with user level access to the CLI to inject root level commands into the component and neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability. Una vulnerabilidad en los componentes CommandPost, Collector y Sensor de Fidelis Network and Deception... • https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-35048 – Unauthenticated SQL Injection Vulnerability in Fidelis Network and Deception
https://notcve.org/view.php?id=CVE-2021-35048
25 Jun 2021 — Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability. Una vulnerabilidad en Fidelis Network and Deception CommandPost permite una inyección de SQL no autenticada media... • https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •