CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 1CVE-2018-1185 – EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection
https://notcve.org/view.php?id=CVE-2018-1185
An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Admin CLI may allow a malicious user with admin privileges to escape from the restricted shell to an interactive shell and run arbitrary commands with root privileges. Se ha descubierto un problema en EMC RecoverPoint for Virtual Machines en versiones anteriores a la 5.1.1; EMC RecoverPoint en su versión 5.1.0.0 y EMC RecoverPoint en versiones anteriores a la 5.0.1.3. Vulnerabilidad de inyección de comandos en la interfaz de línea de comandos de Admin podría permitir que un usuario malicioso con privilegios boxmgmt escape del shell restrictivo a un shell interactivo y ejecute comandos arbitrarios con privilegios root. EMC RecoverPoint version 4.3 suffers from an administrative CLI command injectionv vulnerability. • https://www.exploit-db.com/exploits/44614 http://seclists.org/fulldisclosure/2018/Feb/9 http://www.securitytracker.com/id/1040320 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 34%CPEs: 1EXPL: 0CVE-2017-14384 – Dell EMC Storage Manager EmConfigMigration Servlet Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-14384
In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMigration service is affected by a directory traversal vulnerability. A remote malicious user could potentially exploit this vulnerability to read unauthorized files by supplying specially crafted strings in input parameters of the application. A malicious user cannot delete or modify any files via this vulnerability. En versiones anteriores a la 16.3.20 de Dell Storage Manager, el servicio EMConfigMigration se ha visto afectado por una vulnerabilidad de salto de directorio. Un usuario malicioso remoto podría explotar esta vulnerabilidad para leer archivos no autorizados proporcionando cadenas especialmente manipuladas en los parámetros de entrada de la aplicación. • http://topics-cdn.dell.com/pdf/storage-sc2000_release%20notes24_en-us.pdf http://www.securityfocus.com/bid/103467 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-14383
https://notcve.org/view.php?id=CVE-2017-14383
In Dell EMC VNX2 versions prior to Operating Environment for File 8.1.9.217 and VNX1 versions prior to Operating Environment for File 7.1.80.8, a web server error page in VNX Control Station is impacted by a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary HTML code in the user's browser session in the context of the affected web application. En Dell EMC en versiones VNX2 anteriores a Operating Environment for File 8.1.9.217 y VNX1 en versiones anteriores a Operating Environment for File 7.1.80.8, una página de error del servidor web en VNX Control Station se ve afectada por una vulnerabilidad Cross-Site Scripting (XSS) reflejado. Un atacante remoto no autenticado podría explotar esta vulnerabilidad para ejecutar código HTML arbitrario en la sesión del buscador del usuario, en el contexto de la aplicación web afectada. • http://seclists.org/fulldisclosure/2017/Dec/87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-14386
https://notcve.org/view.php?id=CVE-2017-14386
The web user interface of Dell 2335dn and 2355dn Multifunction Laser Printers, firmware versions prior to V2.70.06.26 A13 and V2.70.45.34 A10 respectively, are affected by a cross-site scripting vulnerability. Attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website. La interfaz de usuario web de las impresoras láser multifunción Dell 2335dn y 2355dn, con versiones de firmware anteriores a la V2.70.06.26 A13 y a la V2.70.45.34 A10 respectivamente, se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS). Los atacantes podrían explotar esta vulnerabilidad para ejecutar HTML o código JavaScript arbitrarios en la sesión del buscador del usuario, en el contexto de la página web afectada. • http://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=782W3 http://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=CG55V • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14374
https://notcve.org/view.php?id=CVE-2017-14374
The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance). El servicio SMI-S en Dell Storage Manager en versiones anteriores a la 16.3.20 (también conocida como 2016 R3.20) está protegido mediante el uso de una contraseña embebida. Un usuario remoto que conozca la contraseña podría deshabilitar el servicio SMI-S mediante peticiones HTTP. • http://topics-cdn.dell.com/pdf/storage-sc2000_release%20notes24_en-us.pdf • CWE-798: Use of Hard-coded Credentials •