CVSS: 7.8EPSS: 97%CPEs: 1EXPL: 1CVE-2012-4957 – Novell File Reporter (NFR) Agent - XML Parsing Remote Code Execution
https://notcve.org/view.php?id=CVE-2012-4957
Absolute path traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to read arbitrary files via a /FSF/CMD request with a full pathname in a PATH element of an SRS record. Una vulnerabilidad de salto de directorio absoluto en NFRAgent.exe en Novell File Reporter v1.0.2 permite leer archivos a atacantes remotos a través de una petición /FSF/CMD con una ruta completa en un elemento PATH de un registro SRS. • https://www.exploit-db.com/exploits/23323 http://www.kb.cert.org/vuls/id/273371 https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 41%CPEs: 1EXPL: 2CVE-2012-4959 – Novell File Reporter (NFR) Agent - XML Parsing Remote Code Execution
https://notcve.org/view.php?id=CVE-2012-4959
Directory traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to upload and execute files via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an FSFUI record. Una vulnerabilidad de salto de directorio en NFRAgent.exe en Novell File Reporter v1.0.2 permite cargar y ejecutar archivos a atacantes remotos a través de una petición 130 /FSF/CMD con un .. (punto punto) en un elemento FILE de un registro FSFUI. • https://www.exploit-db.com/exploits/23323 https://www.exploit-db.com/exploits/22787 http://www.kb.cert.org/vuls/id/273371 https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 96%CPEs: 1EXPL: 1CVE-2012-4933 – Novell ZENworks Asset Management 7.5 Remote File Access
https://notcve.org/view.php?id=CVE-2012-4933
The rtrlet web application in the Web Console in Novell ZENworks Asset Management (ZAM) 7.5 uses a hard-coded username of Ivanhoe and a hard-coded password of Scott for the (1) GetFile_Password and (2) GetConfigInfo_Password operations, which allows remote attackers to obtain sensitive information via a crafted rtrlet/rtr request for the HandleMaintenanceCalls function. La aplicación web rtrlet en la consola Web de Novell ZENworks Asset Management (ZAM) v7.5 utiliza un nombre de usuario no modificable de Ivanhoe y una contraseña codificada de Scott para operaciones (1) GetFile_Password y (2) GetConfigInfo_Password, lo que permite a atacantes remotos obtener información sensible a través de una solicitud rtrlet/rtr modificada de la función HandleMaintenanceCalls. • http://www.kb.cert.org/vuls/id/332412 http://www.securitytracker.com/id?1027682 https://community.rapid7.com/community/metasploit/blog/2012/10/15/cve-2012-4933-novell-zenworks https://exchange.xforce.ibmcloud.com/vulnerabilities/79252 • CWE-255: Credentials Management Errors •
CVSS: 9.3EPSS: 2%CPEs: 12EXPL: 0CVE-2012-0418
https://notcve.org/view.php?id=CVE-2012-0418
Unspecified vulnerability in the client in Novell GroupWise 8.0 before Support Pack 3 and 2012 before Support Pack 1 on Windows allows user-assisted remote attackers to execute arbitrary code via a crafted file. Vulnerabilidad no especificada en el cliente Novell GroupWise v8.0 anterior a Support Pack 3 y 2012 before Support Pack 1 sobre Windows permite a atacantes remotos asistidos por usuarios locales ejecutar código de su elección a través de un fichero manipulado. • http://download.novell.com/Download?buildid=O5hTjIiMdMo~ http://www.novell.com/support/kb/doc.php?id=7010771 http://www.securityfocus.com/bid/55729 https://bugzilla.novell.com/show_bug.cgi?id=752521 •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4912
https://notcve.org/view.php?id=CVE-2012-4912
Cross-site scripting (XSS) vulnerability in the WebAccess component in Novell GroupWise 8.0 before Support Pack 3 and 2012 before Support Pack 1 allows remote attackers to inject arbitrary web script or HTML via a crafted signature in an HTML e-mail message. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el componente WebAccess en Novell GroupWise v8.0 anterior a Support Pack 3 y 2012 before Support Pack 1 permite a atacantes remotos inyectar código web script o HTML de su elección a través de firmas manipuladas en un email. • http://download.novell.com/Download?buildid=O5hTjIiMdMo~ http://secunia.com/advisories/50622 http://www.novell.com/support/kb/doc.php?id=7010768 http://www.securityfocus.com/bid/55814 http://www.securitytracker.com/id?1027614 https://bugzilla.novell.com/show_bug.cgi?id=702788 https://bugzilla.novell.com/show_bug.cgi? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •