CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21589 – Paragon Active Assurance Control Center: Information disclosure vulnerability
https://notcve.org/view.php?id=CVE-2024-21589
An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated network-based attacker to access reports without authenticating, potentially containing sensitive configuration information. A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. • https://supportportal.juniper.net/JSA75727 https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-21982 – CVE-2024-21982 Information Disclosure Vulnerability in ONTAP 9
https://notcve.org/view.php?id=CVE-2024-21982
ONTAP versions 9.4 and higher are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information to unprivileged attackers when the object-store profiler command is being run by an administrative user. Las versiones de ONTAP 9.4 y superiores son susceptibles a una vulnerabilidad que, cuando se explota con éxito, podría provocar la divulgación de información confidencial a atacantes sin privilegios cuando un usuario administrativo ejecuta el comando del generador de perfiles del almacén de objetos. • https://security.netapp.com/advisory/ntap-20240111-0001 •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 1CVE-2024-22198 – Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)
https://notcve.org/view.php?id=CVE-2024-22198
This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. • https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.go#L18 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/terminal/pty.go#L11 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/internal/pty/pipeline.go#L29 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/router/middleware.go#L45 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/settings/server.go#L12 https://githu • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.0EPSS: 0%CPEs: 14EXPL: 1CVE-2024-22196 – Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
https://notcve.org/view.php?id=CVE-2024-22196
This issue may lead to information disclosure. • https://github.com/0xJacky/nginx-ui/commit/ec93ab05a3ecbb6bcf464d9dca48d74452df8a5b https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h374-mm57-879c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 1CVE-2024-22197 – Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
https://notcve.org/view.php?id=CVE-2024-22197
This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. • https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3 https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •