CVSS: 6.5EPSS: 96%CPEs: 1EXPL: 2CVE-2014-4977 – Dell SonicWALL Scrutinizer 11.01 - methodDetail SQL Injection
https://notcve.org/view.php?id=CVE-2014-4977
Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php. Múltiples vulnerabilidades de inyección SQL en Dell SonicWall Scrutinizer 11.0.1 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (1) parámetro selectedUserGroup en una solicitud de crear un usuario nuevo en cgi-bin/admin.cgi o el (2) parámetro user_id en la función changeUnit, (3) parámetro methodDetail en la función methodDetail o (4) parámetro xcNetworkDetail en la función xcNetworkDetail en d4d/exporters.php. • https://www.exploit-db.com/exploits/39836 http://packetstormsecurity.com/files/127429/Dell-Sonicwall-Scrutinizer-11.01-Code-Execution-SQL-Injection.html http://packetstormsecurity.com/files/137098/Dell-SonicWALL-Scrutinizer-11.01-methodDetail-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Jul/44 http://www.securityfocus.com/bid/68495 https://exchange.xforce.ibmcloud.com/vulnerabilities/94439 https://gist.github.com/brandonprry/36b4b8df1cde279a9305 https://gist.github.com/brandonprry/76741d9a0d4f518fe297 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2012-2627 – Scrutinizer 9.0.1.19899 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2012-2627
d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote attackers to create or overwrite arbitrary files in %PROGRAMFILES%\Scrutinizer\snmp\mibs\ via a multipart/form-data POST request. d4d/uploader.php en la consola web Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.0 permite a atacantes remotos crear o sobreescribir archivos arbitrarios en %PROGRAMFILES%\Scrutinizer\snmp\mibs\ a través de una solicitud POST multipart/form-data Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37548 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt •
CVSS: 7.5EPSS: 87%CPEs: 1EXPL: 2CVE-2012-3951 – Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential
https://notcve.org/view.php?id=CVE-2012-3951
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session. El componente MySQL en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) v9.0.1.19899 y anteiores tiene una contraseña por defecto para el admin en (1) scrutinizer y (2) cuentas scrutremote, lo que permite a atacantes remotos ejecutar comandos SQL a través de una sesión TCP. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/20355 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 57%CPEs: 1EXPL: 2CVE-2012-2626 – Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass
https://notcve.org/view.php?id=CVE-2012-2626
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action. cgi-bin/admin.cgi en la consola web Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.0 no requiere la autenticación de token, lo que permite a atacantes remotos agregar las cuentas administrativas a través de una acción userprefs. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37549 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2012-3848 – Scrutinizer 9.0.1.19899 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-3848
Multiple cross-site scripting (XSS) vulnerabilities in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to d4d/exporters.php, (2) the HTTP Referer header to d4d/exporters.php, or (3) unspecified input to d4d/contextMenu.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la consola web en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer), permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) la cadena de petición sobre d4d/exporters.php, (2) la cabecera HTTP Referer sobre d4d/exporters.php, o (3) entrada no especificada sobre d4d/contextMenu.php. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37547 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •