CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2021-26725 – Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4
https://notcve.org/view.php?id=CVE-2021-26725
Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticated administrator to read-protected system files. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions. Una vulnerabilidad de Salto de Ruta cuando se cambia la zona horaria usando la GUI web de Nozomi Networks Guardian y CMC, permite a un administrador autenticado tener archivos del sistema protegidos contra lectura. Este problema afecta a: Nozomi Networks Guardian versión 20.0.7.3 versión 20.0.7.3 y versiones anteriores. • https://security.nozominetworks.com/NN-2021:2-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-24: Path Traversal: '../filedir' •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7049
https://notcve.org/view.php?id=CVE-2020-7049
Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_list.html CSV Injection. El Sistema Operativo Nozomi Networks versiones anteriores a 19.0.4, permite una Inyección CSV de /#/network?tab=network_node_list.html • https://www2.deloitte.com/de/de/pages/risk/articles/nozomi-csv-injection.html?nc=1 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15307
https://notcve.org/view.php?id=CVE-2020-15307
Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. Nozomi Guardian versiones anteriores a 19.0.4, permite a atacantes lograr un ataque de tipo XSS almacenados (en el front end web) al aprovechar la capacidad de crear un campo personalizado con un nombre de campo diseñado • https://www2.deloitte.com/de/de/pages/risk/articles/nozomi-stored-xss.html?nc=1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •