CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-9465
https://notcve.org/view.php?id=CVE-2020-9465
An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie. Se detectó un problema en EyesOfNetwork eonweb versiones 5.1 hasta 5.3 anteriores a 5.3-3. La interfaz web de eonweb es propensa a una inyección SQL, permitiendo a un atacante no autenticado realizar varias tareas, tales como omitir la autenticación por medio de el campo user_id en una cookie. • https://github.com/EyesOfNetworkCommunity/eonweb/issues/51 https://github.com/EyesOfNetworkCommunity/eonweb/releases/tag/5.3-3 https://github.com/h4knet/eonrce • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 5CVE-2020-8655 – EyesOfNetwork Improper Privilege Management Vulnerability
https://notcve.org/view.php?id=CVE-2020-8655
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7. Se detectó un problema en EyesOfNetwork versión 5.3. La configuración de sudoers es propensa a una vulnerabilidad de escalada de privilegios, permitiendo al usuario apache ejecutar comandos arbitrarios como root por medio de un script NSE diseñado para nmap 7. EyesOfNetwork version 5.3 suffers from code execution and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/48169 https://www.exploit-db.com/exploits/48025 http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonconf/issues/8 https://github.com/h4knet/eonrce • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 5CVE-2020-8654 – EyesOfNetwork - AutoDiscovery Target Command Execution
https://notcve.org/view.php?id=CVE-2020-8654
An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field. Se detectó un problema en EyesOfNetwork versión 5.3. Un usuario web autenticado con privilegios suficientes podría abusar del módulo AutoDiscovery para ejecutar comandos arbitrarios de Sistema Operativo por medio del campo target de los archivos /module/module_frame/index.php autodiscovery.php. EyesOfNetwork version 5.3 suffers from code execution and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/48169 https://www.exploit-db.com/exploits/48025 http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonweb/issues/50 https://github.com/h4knet/eonrce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 4CVE-2020-8656 – EyesOfNetwork - AutoDiscovery Target Command Execution
https://notcve.org/view.php?id=CVE-2020-8656
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php. Se detectó un problema en EyesOfNetwork versión 5.3. La API de EyesOfNetwork versión 2.4.2 es propensa a una inyección SQL, permitiendo a un atacante no autenticado realizar varias tareas, tales como la omisión de autenticación por medio del campo username para getApiKey en el archivo include/api_functions.php. EyesOfNetwork version 5.3 suffers from code execution and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/48169 https://www.exploit-db.com/exploits/48025 http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonapi/issues/16 https://github.com/h4knet/eonrce • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 18%CPEs: 1EXPL: 2CVE-2020-8657 – EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2020-8657
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. Se detectó un problema en EyesOfNetwork versión 5.3. La instalación utiliza la misma clave de la API (embebida como EONAPI_KEY en el archivo include/api_functions.php para la API versión 2.4.2) por defecto para todas las instalaciones, lo que permite a un atacante calcular y adivinar el token de acceso de administrador. EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. • https://www.exploit-db.com/exploits/48169 http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonapi/issues/17 https://github.com/h4knet/eonrce • CWE-798: Use of Hard-coded Credentials •