CVSS: 10.0EPSS: 20%CPEs: 12EXPL: 2CVE-2013-1360 – SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-1360
An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access. Se presenta una vulnerabilidad de Omisión de Autenticación en DELL SonicWALL Global Management System (GMS) versiones 4.1, 5.0, 5.1, 6.0 y 7.0, Analyzer versión 7.0, Universal Management Appliance (UMA) versiones 5.1, 6.0 y 7.0 y ViewPoint versiones 4.1, 5.0 y 6.0, por medio de una petición diseñada en la interfaz SGMS, que podría permitir a un usuario malicioso remoto obtener acceso administrativo. SonicWALL GMS/Viewpoint/Analyzer suffers from an authentication bypass vulnerability. • https://www.exploit-db.com/exploits/24203 http://archives.neohapsis.com/archives/bugtraq/2013-01/0075.html http://www.exploit-db.com/exploits/24203 http://www.securityfocus.com/bid/57446 http://www.securitytracker.com/id/1028007 https://exchange.xforce.ibmcloud.com/vulnerabilities/81366 https://packetstormsecurity.com/files/cve/CVE-2013-1360 • CWE-287: Improper Authentication •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2012-2627 – Scrutinizer 9.0.1.19899 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2012-2627
d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote attackers to create or overwrite arbitrary files in %PROGRAMFILES%\Scrutinizer\snmp\mibs\ via a multipart/form-data POST request. d4d/uploader.php en la consola web Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.0 permite a atacantes remotos crear o sobreescribir archivos arbitrarios en %PROGRAMFILES%\Scrutinizer\snmp\mibs\ a través de una solicitud POST multipart/form-data Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37548 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt •
CVSS: 7.5EPSS: 87%CPEs: 1EXPL: 2CVE-2012-3951 – Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential
https://notcve.org/view.php?id=CVE-2012-3951
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session. El componente MySQL en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) v9.0.1.19899 y anteiores tiene una contraseña por defecto para el admin en (1) scrutinizer y (2) cuentas scrutremote, lo que permite a atacantes remotos ejecutar comandos SQL a través de una sesión TCP. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/20355 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 57%CPEs: 1EXPL: 2CVE-2012-2626 – Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass
https://notcve.org/view.php?id=CVE-2012-2626
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action. cgi-bin/admin.cgi en la consola web Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.0 no requiere la autenticación de token, lo que permite a atacantes remotos agregar las cuentas administrativas a través de una acción userprefs. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37549 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2012-3848 – Scrutinizer 9.0.1.19899 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-3848
Multiple cross-site scripting (XSS) vulnerabilities in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to d4d/exporters.php, (2) the HTTP Referer header to d4d/exporters.php, or (3) unspecified input to d4d/contextMenu.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la consola web en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer), permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) la cadena de petición sobre d4d/exporters.php, (2) la cabecera HTTP Referer sobre d4d/exporters.php, o (3) entrada no especificada sobre d4d/contextMenu.php. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37547 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •