CVSS: 5.0EPSS: 8%CPEs: 2EXPL: 3CVE-2015-0514 – EMC M&R (Watch4net) - Credential Disclosure
https://notcve.org/view.php?id=CVE-2015-0514
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. EMC M&R (también conocido como Watch4Net) anterior a 6.5u1 y ViPR SRM anterior a 3.6.1 puede permitir a atacantes remotos obtener credenciales de centro de datos en texto claro aprovechándose de cierto acceso SRM que conlleva a un ataque de descifrado. It was discovered that EMC M&R (Watch4net) credentials of remote servers stored in Watch4net are encrypted using a fixed hard-coded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them. • https://www.exploit-db.com/exploits/36436 http://archives.neohapsis.com/archives/bugtraq/2015-01/0092.html http://packetstormsecurity.com/files/130910/EMC-M-R-Watch4net-Insecure-Credential-Storage.html http://seclists.org/fulldisclosure/2015/Mar/112 http://www.securityfocus.com/archive/1/534923/100/0/threaded http://www.securityfocus.com/bid/72257 http://www.securitytracker.com/id/1031567 https://www.securify.nl/advisory/SFY20141101/emc_m_r__watch4net__data_storage_collector_credentials_ar • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 2%CPEs: 2EXPL: 2CVE-2015-0516 – EMC M&R (Watch4net) - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-0516
Directory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL. Vulnerabilidad de salto de directorio en EMC M&R (también conocido como Watch4Net) anterior a 6.5u1 y ViPR SRM anterior a 3.6.1 permite a usuarios remotos autenticados leer archivos arbitrarios a través de una URL modificada. A path traversal vulnerability was found in EMC M&R (Watch4net) Device Discovery. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries. • https://www.exploit-db.com/exploits/36440 http://archives.neohapsis.com/archives/bugtraq/2015-01/0092.html http://seclists.org/fulldisclosure/2015/Mar/116 http://www.securityfocus.com/archive/1/534929/100/0/threaded http://www.securityfocus.com/bid/72255 http://www.securitytracker.com/id/1031567 https://www.securify.nl/advisory/SFY20141105/path_traversal_vulnerability_in_emc_m_r__watch4net__mib_browser.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0513 – EMC M&R (Watch4net) Alerting Frontend XSS
https://notcve.org/view.php?id=CVE-2015-0513
Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields. Múltiples vulnerabilidades XSS en la interfaz de usuario de administración en EMC M&R (también conocido como Watch4Net) anterior a 6.5u1 y ViPR SRM anterior a 3.6.1 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios aprovechándose de privilegios de acceso para establecer valores modificados de campos sin especificar A cross site scripting vulnerability was found in EMC M&R (Watch4net) Web Portal. This issue allows attackers to replace the report that is shown at startup, the attackers payload will be stored in the user's profile and will be executed every time the victim logs in. • http://archives.neohapsis.com/archives/bugtraq/2015-01/0092.html http://www.securityfocus.com/bid/72259 http://www.securitytracker.com/id/1031567 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4639
https://notcve.org/view.php?id=CVE-2014-4639
EMC Documentum Web Development Kit (WDK) before 6.8 does not properly generate random numbers for a certain parameter related to Webtop components, which makes it easier for remote attackers to conduct phishing attacks via brute-force attempts to predict the parameter value. EMC Documentum Web Development Kit (WDK) anterior a 6.8 no genera correctamente los números aleatorios para cierto parámetro relacionado con los componentes Webtop, lo que facilita a atacantes remotos realizar ataques de phishing a través de intentos a la fuerza bruta de prever el valor del parámetro. • http://archives.neohapsis.com/archives/bugtraq/2015-01/0009.html http://packetstormsecurity.com/files/129822/EMC-Documentum-Web-Development-Kit-XSS-CSRF-Redirection-Injection.html http://www.securitytracker.com/id/1031497 https://exchange.xforce.ibmcloud.com/vulnerabilities/99636 • CWE-189: Numeric Errors •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4638
https://notcve.org/view.php?id=CVE-2014-4638
EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors. EMC Documentum Web Development Kit (WDK) anterior a 6.8 permite a atacantes remotos realizar ataques de inyección de Frames (frame-injection) y obtener información sensible a través de vectores no especificadios. • http://archives.neohapsis.com/archives/bugtraq/2015-01/0009.html http://packetstormsecurity.com/files/129822/EMC-Documentum-Web-Development-Kit-XSS-CSRF-Redirection-Injection.html http://www.securitytracker.com/id/1031497 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •