Page 2 of 10 results (0.009 seconds)

CVSS: 6.8EPSS: 39%CPEs: 2EXPL: 0

Directory traversal vulnerability in the ReportViewServlet servlet in the server in NetIQ Sentinel 7.4.x before 7.4.2 allows remote attackers to read arbitrary files via a PREVIEW value for the fileType field. Vulnerabilidad de salto de directorio en el servlet ReportViewServlet en NetIQ Sentinel 7.4.x en versiones anteriores a 7.4.2 permite a atacantes remotos leer archivos arbitrarios a través de un valor PREVIEW para el archivo fileType. This vulnerability allows remote attackers to disclose arbitrary file contents on vulnerable installations of Novell NetIQ Sentinel Server. Authentication is required to exploit this vulnerability but it can be bypassed using a separate flaw within the LogonFormController. The specific flaw exists within the ReportViewServlet servlet. When fileType is specified as "PREVIEW", the fileName parameter is vulnerable to directory traversal. • http://www.zerodayinitiative.com/advisories/ZDI-16-406 https://www.netiq.com/support/kb/doc.php?id=7017803 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to hijack the authentication of an administrator for requests that trigger snapshots. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en wordpress_sentinel.php en el plugin Sentinel v1.0.0 para WordPress, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que provocan instantáneas. Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to hijack the authentication of an administrator for requests that trigger snapshots. The WordPress Sentinel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing nonce validation on several functions. This makes it possible for unauthenticated attackers to perform administrative actions like modifying the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • http://osvdb.org/77778 http://plugins.trac.wordpress.org/changeset?reponame=&new=475315%40wordpress-sentinel&old=474998%40wordpress-sentinel http://secunia.com/advisories/47020 http://wordpress.org/extend/plugins/wordpress-sentinel/changelog http://www.boiteaweb.fr/wordpress-sentinel-v1-0-0-3104.html http://www.securityfocus.com/bid/51089 https://exchange.xforce.ibmcloud.com/vulnerabilities/71857 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Cross-site scripting (XSS) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en wordpress_sentinel.php en el plugin Sentinel v1.0.0 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores desconocidos. • http://osvdb.org/77777 http://plugins.trac.wordpress.org/changeset?reponame=&new=475315%40wordpress-sentinel&old=474998%40wordpress-sentinel http://secunia.com/advisories/47020 http://wordpress.org/extend/plugins/wordpress-sentinel/changelog http://www.boiteaweb.fr/wordpress-sentinel-v1-0-0-3104.html http://www.securityfocus.com/bid/51089 https://exchange.xforce.ibmcloud.com/vulnerabilities/71854 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en Sentinel plugin v1.0.0 para WordPress, permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores desconocidos. • http://osvdb.org/77779 http://plugins.trac.wordpress.org/changeset?reponame=&new=475315%40wordpress-sentinel&old=474998%40wordpress-sentinel http://wordpress.org/extend/plugins/wordpress-sentinel/changelog http://www.boiteaweb.fr/wordpress-sentinel-v1-0-0-3104.html http://www.securityfocus.com/bid/51089 https://exchange.xforce.ibmcloud.com/vulnerabilities/71858 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

SQL injection vulnerability in the login form in the web interface in Mercator SENTINEL 2.0 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en el formulario de acceso en la interfaz web de Mercator SENTINEL v2.0 permite a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-%C2%AB-sentinel-safety-information-management-system-%C2%BB http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-suite http://secunia.com/advisories/46014 http://www.kb.cert.org/vuls/id/122142 http://www.securityfocus.com/bid/49638 https://exchange.xforce • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •