Page 5 of 26 results (0.023 seconds)

CVSS: 5.0EPSS: 0%CPEs: 20EXPL: 0

Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418. Zenoss Core hasta 5 Beta 3 no incluye el indicador HTTPOnly en una cabecera Set-Cookie para la cookie de autenticación, lo que facilita a atacantes remotos obtener información de credenciales a través del acceso de secuencias de comandos a esta cookie, también conocido como ZEN-10418. • http://www.kb.cert.org/vuls/id/449452 https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 0%CPEs: 20EXPL: 0

Zenoss Core through 5 Beta 3 uses a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack on hash values in the database, aka ZEN-15413. Zenoss Core hasta 5 Beta 3 utiliza un algoritmo débil para crear hashes de contraseñas, lo que facilita a atacantes dependientes de contexto obtener valores en texto plano a través de un ataque de fuerza bruta sobre los valores de hash, también conocido como ZEN-15413. • http://www.kb.cert.org/vuls/id/449452 https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing • CWE-255: Credentials Management Errors •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1

Open redirect vulnerability in zport/acl_users/cookieAuthHelper/login_form in Zenoss 4.2.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the came_from parameter. Vulnerabilidad de redirección abierta en zport/acl_users/cookieAuthHelper/login_form en Zenoss 4.2.5 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL an el parámetro came_from. • http://www.openwall.com/lists/oss-security/2014/05/14/5 http://www.openwall.com/lists/oss-security/2014/05/15/5 http://www.securityfocus.com/bid/67396 https://www.youtube.com/watch?v=wtmdsz24evo • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4

Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the title of a device. Vulnerabilidad de XSS en Zenoss 4.2.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del título de un dispositivo. Zenoss Monitoring System version 4.2.5-2108 64-bit suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/34165 http://packetstormsecurity.com/files/127623/Zenoss-Monitoring-System-4.2.5-2108-Cross-Site-Scripting.html http://www.exploit-db.com/exploits/34165 http://www.openwall.com/lists/oss-security/2014/05/14/5 http://www.openwall.com/lists/oss-security/2014/05/15/5 http://www.securityfocus.com/bid/67396 https://www.youtube.com/watch?v=wtmdsz24evo • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 2

Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters. Múltiples vulnerabilidades de inyección SQL en zport/dmd/Events/getJSONEventsInfo en Zenoss v2.3.3 y otras versiones anteriores a v2.5, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) severity, (2) state, (3) filter, (4) offset, and (5) count. • https://www.exploit-db.com/exploits/33511 http://dev.zenoss.org/trac/changeset/15257 http://osvdb.org/61804 http://secunia.com/advisories/38195 http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-001-zenoss-getjsoneventsinfo-sql-injection http://www.securityfocus.com/bid/37802 http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html https://exchange.xforce.ibmcloud.com/vulnerabilities/55670 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •