CVE-2018-12483
https://notcve.org/view.php?id=CVE-2018-12483
OCS Inventory 2.4.1 is prone to a remote command-execution vulnerability. Specifically, this issue occurs because the content of the ipdiscover_analyser rzo GET parameter is concatenated to a string used in an exec() call in the PHP code. Authentication is needed in order to exploit this vulnerability. OCS Inventory 2.4.1 es propenso a una vulnerabilidad de ejecución remota de comandos. Específicamente, este problema ocurre debido a que el contenido del parámetro GET rzo ipdiscover_analyser se concatena a una cadena empleada en una llamada exec() en el código PHP. • https://www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-1000557
https://notcve.org/view.php?id=CVE-2018-1000557
OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1. OCS Inventory OCS Inventory NG version ocsreports 2.4 contiene una vulnerabilidad Cross-Site Scripting (XSS) en el formulario de inicio de sesión y la función search que puede resultar en que un atacante podría ejecutar código arbitrario (JavaScript) en el navegador de las víctimas. Este ataque parece ser explotable mediante una víctima que abra un enlace especialmente manipulado a la aplicación. • https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1000558
https://notcve.org/view.php?id=CVE-2018-1000558
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1. OCS Inventory NG ocsreports 2.4 y ocsreports 2.3.1 en versiones 2.4. y 2.3.1 contiene una vulnerabilidad de inyección SQL en la búsqueda web que puede resultar en que un atacante autenticado pueda obtener acceso total a los datos almacenados en la base de datos. Este ataque parece ser explotable mediante el envío de peticiones manipuladas para que sea posible obtener acceso a la base de datos. • https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released https://www.secuvera.de/advisories/secuvera-SA-2017-04.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-4722
https://notcve.org/view.php?id=CVE-2014-4722
Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports Web Interface in OCS Inventory NG allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en la interfaz OCS Reports Web en OCS Inventory NG permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://packetstormsecurity.com/files/127295/OCS-Inventory-NG-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/532664/100/0/threaded http://www.securityfocus.com/bid/68292 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4024 – OCS Inventory NG 2.0.1 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-4024
Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en ocsinventory in OCS Inventory NG v2.0.1 y anteriores permite a atacantes remotos inyectar script de su elección o HTML a través de vectores no especificados. OCS Inventory NG version 2.0.1 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/18005 http://osvdb.org/76135 http://secunia.com/advisories/46311 http://securityreason.com/securityalert/8477 http://www.exploit-db.com/exploits/18005 http://www.mandriva.com/security/advisories?name=MDVSA-2012:053 http://www.ocsinventory-ng.org/fr/accueil/nouvelles/version-2-0-2-stable.html http://www.securityfocus.com/bid/50011 https://exchange.xforce.ibmcloud.com/vulnerabilities/70406 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •