CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-25030
https://notcve.org/view.php?id=CVE-2019-25030
In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible. En Versa Director, Versa Analytics y VOS, las contraseñas son procesadas usando una función hash criptográfica adaptativa o una función de derivation de clave antes del almacenamiento. • https://hackerone.com/reports/1168197 • CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-25029
https://notcve.org/view.php?id=CVE-2019-25029
In Versa Director, the command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. En Versa Director, la inyección de comandos es un ataque en el que el objetivo es la ejecución de comandos arbitrarios en el sistema operativo host mediante una aplicación vulnerable. • https://hackerone.com/reports/1168198 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •