CVE-2012-2626 – Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass
https://notcve.org/view.php?id=CVE-2012-2626
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action. cgi-bin/admin.cgi en la consola web Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.0 no requiere la autenticación de token, lo que permite a atacantes remotos agregar las cuentas administrativas a través de una acción userprefs. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37549 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt • CWE-287: Improper Authentication •
CVE-2012-3848 – Scrutinizer 9.0.1.19899 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-3848
Multiple cross-site scripting (XSS) vulnerabilities in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to d4d/exporters.php, (2) the HTTP Referer header to d4d/exporters.php, or (3) unspecified input to d4d/contextMenu.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la consola web en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer), permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) la cadena de petición sobre d4d/exporters.php, (2) la cabecera HTTP Referer sobre d4d/exporters.php, o (3) entrada no especificada sobre d4d/contextMenu.php. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37547 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2962 – Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection
https://notcve.org/view.php?id=CVE-2012-2962
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter. Vulnerabilidad de inyección de secuencias de comandos en d4d/statusFilter.php en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.2 permite a usuarios remotos autenticados ejecutar comandos SQL a través del parámetro q. Dell SonicWALL Scrutinizer version 9.0.1 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/20033 https://www.exploit-db.com/exploits/20204 http://secunia.com/advisories/50052 http://www.exploit-db.com/exploits/20033 http://www.kb.cert.org/vuls/id/404051 http://www.osvdb.org/84232 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html http://www.securityfocus.com/bid/54625 http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf https://exchange.xforce • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •