CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24628
https://notcve.org/view.php?id=CVE-2020-24628
A remote code injection vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3. Se detectó una vulnerabilidad de inyección de código remota en HPE KVM IP Console Switches versiones G2 4x1Ex32 anteriores a 2.8.3 • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04044en_us • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24627
https://notcve.org/view.php?id=CVE-2020-24627
A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3. Se detectó una vulnerabilidad de tipo xss almacenado remoto en HPE KVM IP Console Switches versiones G2 4x1Ex32 antes de 2.8.3 • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04044en_us • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24623 – Hewlett Packard Enterprise Universal API Framework uaf_token SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-24623
A potential security vulnerability has been identified in Hewlett Packard Enterprise Universal API Framework. The vulnerability could be remotely exploited to allow SQL injection in HPE Universal API Framework for VMware Esxi v2.5.2 and HPE Universal API Framework for Microsoft Hyper-V (VHD). Se ha identificado una potencial vulnerabilidad de seguridad en Hewlett Packard Enterprise Universal API Framework. La vulnerabilidad podría ser explotada remotamente para permitir una inyección SQL en HPE Universal API Framework para VMware Esxi versión v2.5.2 y HPE Universal API Framework para Microsoft Hyper-V (VHD) This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Universal API Framework. Authentication is not required to exploit this vulnerability. The specific flaw exists within the connections resource. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04024en_us https://www.zerodayinitiative.com/advisories/ZDI-20-1208 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2020-24625 – Hewlett Packard Enterprise Pay per use UCS Meter ReceiverServlet doGet Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-24625
Unathenticated directory traversal in the ReceiverServlet class doGet() method can lead to arbitrary file reads in HPE Pay Per Use (PPU) Utility Computing Service (UCS) Meter version 1.9. Un salto de directorio no autenticado en el método doGet() de la clase ReceiverServlet puede conllevar a lecturas de archivos arbitrarias en el HPE Pay Per Use (PPU) Utility Computing Service (UCS) Meter versión 1.9 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Pay per use UCS Meter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ReceiverServlet class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose files in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04037en_us • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2020-24626 – Hewlett Packard Enterprise Pay per use UCS Meter ReceiverServlet doPost Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-24626
Unathenticated directory traversal in the ReceiverServlet class doPost() method can lead to arbitrary remote code execution in HPE Pay Per Use (PPU) Utility Computing Service (UCS) Meter version 1.9. Un salto de directorio no autenticado en el método doPost() de la clase ReceiverServlet puede conllevar a una ejecución de código remota arbitraria en HPE Pay Per Use (PPU) Utility Computing Service (UCS) Meter versión 1.9 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Pay per use UCS Meter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ReceiverServlet class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04037en_us • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •