CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19019
https://notcve.org/view.php?id=CVE-2019-19019
An issue was discovered in TitanHQ WebTitan before 5.18. It contains a Remote Code Execution issue through which an attacker can execute arbitrary code as root. The issue stems from the hotfix download mechanism, which downloads a shell script via HTTP, and then executes it as root. This is analogous to CVE-2019-6800 but for a different product. Se detectó un problema en TitanHQ WebTitan versiones anteriores a 5.18. • https://write-up.github.io/webtitan https://www.webtitan.com/resources/product-updates • CWE-346: Origin Validation Error •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19018
https://notcve.org/view.php?id=CVE-2019-19018
An issue was discovered in TitanHQ WebTitan before 5.18. It exposes a database configuration file under /include/dbconfig.ini in the web administration interface, revealing what database the web application is using. Se detectó un problema en TitanHQ WebTitan versiones anteriores a 5.18. Expone un archivo de configuración de la base de datos en el archivo /include/dbconfig.ini en la interfaz de administración web, revelando qué base de datos está utilizando la aplicación web. • https://write-up.github.io/webtitan https://www.webtitan.com/resources/product-updates • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19017
https://notcve.org/view.php?id=CVE-2019-19017
An issue was discovered in TitanHQ WebTitan before 5.18. The appliance has a hard-coded root password set during installation. An attacker could utilize this to gain root privileges on the system. Se detectó un problema en TitanHQ WebTitan versiones anteriores a 5.18. El dispositivo presenta una contraseña de root embebida establecida durante la instalación. • https://write-up.github.io/webtitan https://www.webtitan.com/resources/product-updates • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19016
https://notcve.org/view.php?id=CVE-2019-19016
An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract sensitive information from the appliance database. Se detectó un problema en TitanHQ WebTitan versiones anteriores a 5.18. Algunas funciones, tal y como /history-x.php, de la interfaz de administración son vulnerables a una inyección SQL por medio del parámetro results. • https://write-up.github.io/webtitan https://www.webtitan.com/resources/product-updates • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19015
https://notcve.org/view.php?id=CVE-2019-19015
An issue was discovered in TitanHQ WebTitan before 5.18. The proxy service (which is typically exposed to all users) allows connections to the internal PostgreSQL database of the appliance. By connecting to the database through the proxy (without password authentication), an attacker is able to fully control the appliance database. Through this, several different paths exist to gain further access, or execute code. Se detectó un problema en TitanHQ WebTitan versiones anteriores a 5.18. • https://write-up.github.io/webtitan https://www.webtitan.com/resources/product-updates • CWE-668: Exposure of Resource to Wrong Sphere •