CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38493 – Symantec Privileged Access Manager Reflected Cross Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-38493
15 Jul 2024 — A reflected cross-site scripting (XSS) vulnerability exists in the PAM UI web interface. A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI. Existe una vulnerabilidad cross-site scripting (XSS) reflejada en la interfaz web de PAM UI. Un atacante remoto capaz de convencer a un usuario de PAM para que haga clic en un enlace especialmente manipulado a la interfaz web de PAM ... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-38492 – Symantec Privileged Access Manager Remote Command Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-38492
15 Jul 2024 — This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. Esta vulnerabilidad permite a un atacante no autenticado lograr la ejecución remota de comandos en el sistema PAM afectado cargando un archivo de actualización de PAM especialmente manipulado. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38491 – Symantec Privileged Access Manager SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-38491
15 Jul 2024 — The vulnerability allows an unauthenticated attacker to read arbitrary information from the database. La vulnerabilidad permite a un atacante no autenticado leer información arbitraria de la base de datos. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36458 – Symantec Privileged Access Manager Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-36458
15 Jul 2024 — The vulnerability allows a malicious low-privileged PAM user to perform server upgrade related actions. La vulnerabilidad permite a un usuario malicioso de PAM con pocos privilegios realizar acciones relacionadas con la actualización del servidor. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36457 – Symantec Privileged Access Manager Authentication Bypass vulnerability
https://notcve.org/view.php?id=CVE-2024-36457
15 Jul 2024 — The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint. La vulnerabilidad permite a un atacante eludir los requisitos de autenticación para un endpoint PAM específico. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-36456 – Symantec Privileged Access Manager Remote Command Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-36456
15 Jul 2024 — This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. Esta vulnerabilidad permite a un atacante no autenticado lograr la ejecución remota de comandos en el sistema PAM afectado cargando un archivo de actualización de PAM especialmente manipulado. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36455 – Symantec Privileged Access Manager Remote Command Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-36455
15 Jul 2024 — An improper input validation allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request. Una validación de entrada incorrecta permite que un atacante no autenticado logre la ejecución remota de comandos en el sistema PAM afectado enviando una solicitud HTTP especialmente manipulada. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-665: Improper Initialization •
CVSS: 9.0EPSS: 0%CPEs: 36EXPL: 1CVE-2024-3596 – RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.
https://notcve.org/view.php?id=CVE-2024-3596
09 Jul 2024 — RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. El protocolo RADIUS según RFC 2865 es susceptible a ataques de falsificación por parte de un atacante local que puede modificar cualquier respuesta válida (acceso-aceptación, acceso-rechazo o acceso-desafío) a cualquier otra respuesta... • https://github.com/alperenugurlu/CVE-2024-3596-Detector • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-328: Use of Weak Hash CWE-354: Improper Validation of Integrity Check Value CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5460 – Brocade Fabric OS versions prior to v9.0 have default community strings
https://notcve.org/view.php?id=CVE-2024-5460
25 Jun 2024 — A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 1 queries to an affected device. Una vulnerabilidad en la confi... • https://packetstorm.news/files/id/190177 • CWE-798: Use of Hard-coded Credentials •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29954 – password management API prints sensitive information in log files
https://notcve.org/view.php?id=CVE-2024-29954
25 Jun 2024 — A vulnerability in a password management API in Brocade Fabric OS versions before v9.2.1, v9.2.0b, v9.1.1d, and v8.2.3e prints sensitive information in log files. This could allow an authenticated user to view the server passwords for protocols such as scp and sftp. Detail. When the firmwaredownload command is incorrectly entered or points to an erroneous file, the firmware download log captures the failed command, including any password entered in the command line. Una vulnerabilidad en una API de administ... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23226 • CWE-312: Cleartext Storage of Sensitive Information •