CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-1636 – Microsoft SQL Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2021-1636
Microsoft SQL Elevation of Privilege Vulnerability Una Vulnerabilidad de Elevación de Privilegios de Microsoft SQL • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 97%CPEs: 3EXPL: 6CVE-2020-0618 – Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-0618
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'. Se presenta una vulnerabilidad de ejecución de código remota en Microsoft SQL Server Reporting Services cuando maneja inapropiadamente las peticiones de página, también se conoce como "Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability". A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server. Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. • https://www.exploit-db.com/exploits/48816 https://github.com/euphrat1ca/CVE-2020-0618 https://github.com/itstarsec/CVE-2020-0618 http://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html http://packetstormsecurity.com/files/159216/Microsoft-SQL-Server-Reporting-Services-2016-Remote-Code-Execution.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618 https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporti • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-8516
https://notcve.org/view.php?id=CVE-2017-8516
Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, Microsoft SQL Server 2014, and Microsoft SQL Server 2016 allows an information disclosure vulnerability when it improperly enforces permissions, aka "Microsoft SQL Server Analysis Services Information Disclosure Vulnerability". Microsoft SQL Server Analysis Services en Microsoft SQL Server 2012, Microsoft SQL Server 2014, y Microsoft SQL Server 2016 permite una vulnerabilidad de divulgación de información cuando aplica permisos de forma incorrecta. Esta vulnerabilidad también es denominada "Microsoft SQL Server Analysis Services Information Disclosure Vulnerability". • http://www.securityfocus.com/bid/100041 http://www.securitytracker.com/id/1039110 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8516 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 0CVE-2016-7253
https://notcve.org/view.php?id=CVE-2016-7253
The agent in Microsoft SQL Server 2012 SP2, 2012 SP3, 2014 SP1, 2014 SP2, and 2016 does not properly check the atxcore.dll ACL, which allows remote authenticated users to gain privileges via unspecified vectors, aka "SQL Server Agent Elevation of Privilege Vulnerability." El agente en Microsoft SQL Server 2012 SP2, 2012 SP3, 2014 SP1, 2014 SP2 y 2016 no comprueba correctamente el atxcore.dll ACL, lo que permite a usuarios remotos autenticados obtener privilegios a través de vectores no especificados, vulnerabilidad también conocida como "SQL Server Agent Elevation of Privilege Vulnerability". • http://www.securityfocus.com/bid/94056 http://www.securitytracker.com/id/1037250 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-136 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 26%CPEs: 2EXPL: 0CVE-2016-7254
https://notcve.org/view.php?id=CVE-2016-7254
Microsoft SQL Server 2012 SP2 and 2012 SP3 does not properly perform a cast of an unspecified pointer, which allows remote authenticated users to gain privileges via unknown vectors, aka "SQL RDBMS Engine Elevation of Privilege Vulnerability." Microsoft SQL Server 2012 SP2 y 2012 SP3 no realiza correctamente el molde de un puntero no especificado, lo que permite usuarios remotos autenticados obtener privilegios a través de vectores desconocidos, vulnerabilidad también conocida como "SQL RDBMS Engine Elevation of Privilege Vulnerability". • http://www.securityfocus.com/bid/94061 http://www.securitytracker.com/id/1037250 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-136 • CWE-264: Permissions, Privileges, and Access Controls •