CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 3CVE-2012-1258 – Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1258
cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters. El archivo cgi-bin/userprefs.cgi en Plixer International Scrutinizer NetFlow & sFlow Analyzer versiones anteriores a 9.0.1.19899, no comprueba los permisos de usuario, lo que permite a atacantes remotos agregar cuentas de usuario con privilegios de administrador por medio de los parámetros newuser, pwd y selectedUserGroup. Scrutinizer NetFlow and sFlow Analyzer version 8.6.2 suffers from authentication bypass, cross site scripting, and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/18750 http://packetstormsecurity.org/files/111791/Scrutinizer-8.6.2-Bypass-Cross-Site-Scripting-SQL-Injection.html http://www.exploit-db.com/exploits/18750 http://www.securityfocus.com/bid/52989 https://exchange.xforce.ibmcloud.com/vulnerabilities/74824 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/twsl2012-008-multiple-vulnerabilities-in-scrutinizer-netflow-sflow-analyzer • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 3CVE-2012-1259 – Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1259
Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter. Múltiples vulnerabilidades de inyección SQL en Plixer International Scrutinizer NetFlow & sFlow Analyzer versión 8.6.2.16204, y posiblemente otras versiones anteriores a 9.0.1.19899, ??permiten a atacantes remotos ejecutar comandos SQL arbitrarios por medio del (1) parámetro addip en el archivo cgi-bin/scrut_fa_exclusions.cgi, ( 2) parámetro getPermissionsAndPreferences en el archivo cgi-bin/login.cgi, o (3) posiblemente ciertos parámetros en el archivo d4d/alarms.php como es demostrado por el parámetro search_str. Scrutinizer NetFlow and sFlow Analyzer version 8.6.2 suffers from authentication bypass, cross site scripting, and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/18750 http://packetstormsecurity.org/files/111791/Scrutinizer-8.6.2-Bypass-Cross-Site-Scripting-SQL-Injection.html http://www.exploit-db.com/exploits/18750 http://www.securityfocus.com/bid/52989 https://exchange.xforce.ibmcloud.com/vulnerabilities/74826 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/twsl2012-008-multiple-vulnerabilities-in-scrutinizer-netflow-sflow-analyzer • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2012-1260 – Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1260
Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo cgi-bin/userprefs.cgi en Plixer International Scrutinizer NetFlow & sFlow Analyzer versión 8.6.2.16204, y posiblemente otras versiones anteriores a 9.0.1.19899, ??permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro newUser. NOTA: esto podría no ser una vulnerabilidad, ya que un administrador podría tener los privilegios para crear un script arbitrario. • https://www.exploit-db.com/exploits/18750 http://packetstormsecurity.org/files/111791/Scrutinizer-8.6.2-Bypass-Cross-Site-Scripting-SQL-Injection.html http://www.exploit-db.com/exploits/18750 http://www.securityfocus.com/bid/52989 https://exchange.xforce.ibmcloud.com/vulnerabilities/74825 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/twsl2012-008-multiple-vulnerabilities-in-scrutinizer-netflow-sflow-analyzer • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •