CVSS: 9.0EPSS: 2%CPEs: 3EXPL: 0CVE-2014-8420 – Dell Sonicwall GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-8420
The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors. La aplicación web ViewPoint en Dell SonicWALL Global Management System (GMS) anterior a 7.2 SP2, SonicWALL Analyzer anterior a 7.2 SP2, y SonicWALL UMA anterior a 7.2 SP2 permite a usuarios remotos autenticados ejecutar código arbitrario a través de vectores no especificados. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Dell SonicWALL Global Management System (GMS) virtual appliance. Authentication is required to exploit this vulnerability. The specific flaw exists within the GMS ViewPoint (GMSVP) web application. The issue lies in the handling of configuration input due to a failure to safely sanitize user data before executing a command. • http://www.securityfocus.com/bid/71241 http://www.zerodayinitiative.com/advisories/ZDI-14-385 https://exchange.xforce.ibmcloud.com/vulnerabilities/98911 https://support.software.dell.com/product-notification/136814 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 3CVE-2014-5024
https://notcve.org/view.php?id=CVE-2014-5024
Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell SonicWALL GMS, Analyzer, and UMA before 7.2 SP1 allows remote attackers to inject arbitrary web script or HTML via the node_id parameter. Vulnerabilidad de XSS en sgms/panelManager en Dell SonicWALL GMS, Analyzer y UMA anterior a 7.2 SP1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrario a través del parámetro node_id. • http://packetstormsecurity.com/files/127575/SonicWALL-GMS-7.2-Build-7221.1701-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Jul/125 http://secunia.com/advisories/60287 http://www.securityfocus.com/bid/68829 https://support.software.dell.com/product-notification/128245 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2014-4976
https://notcve.org/view.php?id=CVE-2014-4976
Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to change user passwords via the user ID in the savePrefs parameter in a change password request to cgi-bin/admin.cgi. SonicWall Scrutinizer versión 11.0.1 de Dell, permite a los usuarios autenticados remotos cambiar contraseñas de usuario por medio del ID de usuario en el parámetro savePrefs en una petición de cambio de contraseña en el archivo cgi-bin/admin.cgi. • http://packetstormsecurity.com/files/127429/Dell-Sonicwall-Scrutinizer-11.01-Code-Execution-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Jul/44 http://www.securityfocus.com/bid/68495 https://exchange.xforce.ibmcloud.com/vulnerabilities/94438 https://gist.github.com/brandonprry/36b4b8df1cde279a9305 https://gist.github.com/brandonprry/76741d9a0d4f518fe297 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 96%CPEs: 1EXPL: 2CVE-2014-4977 – Dell SonicWALL Scrutinizer 11.01 - methodDetail SQL Injection
https://notcve.org/view.php?id=CVE-2014-4977
Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php. Múltiples vulnerabilidades de inyección SQL en Dell SonicWall Scrutinizer 11.0.1 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (1) parámetro selectedUserGroup en una solicitud de crear un usuario nuevo en cgi-bin/admin.cgi o el (2) parámetro user_id en la función changeUnit, (3) parámetro methodDetail en la función methodDetail o (4) parámetro xcNetworkDetail en la función xcNetworkDetail en d4d/exporters.php. • https://www.exploit-db.com/exploits/39836 http://packetstormsecurity.com/files/127429/Dell-Sonicwall-Scrutinizer-11.01-Code-Execution-SQL-Injection.html http://packetstormsecurity.com/files/137098/Dell-SonicWALL-Scrutinizer-11.01-methodDetail-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Jul/44 http://www.securityfocus.com/bid/68495 https://exchange.xforce.ibmcloud.com/vulnerabilities/94439 https://gist.github.com/brandonprry/36b4b8df1cde279a9305 https://gist.github.com/brandonprry/76741d9a0d4f518fe297 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2014-2879 – Dell SonicWALL EMail Security Appliance Application 7.4.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-2879
Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page. Múltiples vulnerabilidades de XSS en Dell SonicWALL Email Security 7.4.5 y anteriores permiten a administradores remotos autenticados inyectar script Web o HTML arbitrarios a través del parámetro (1) uploadPatch hacia la página System/Advanced (settings_advanced.html) o (2) uploadLicenses en la página License management (settings_upload_dlicense.html). • https://www.exploit-db.com/exploits/32556 http://seclists.org/fulldisclosure/2014/Mar/409 http://www.securityfocus.com/archive/1/531642/100/0/threaded http://www.securityfocus.com/bid/66501 http://www.securitytracker.com/id/1029965 http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf http://www.vulnerability-lab.com/get_content.php?id=1191 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •