CVSS: 5.0EPSS: 0%CPEs: 20EXPL: 0CVE-2014-9251
https://notcve.org/view.php?id=CVE-2014-9251
Zenoss Core through 5 Beta 3 uses a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack on hash values in the database, aka ZEN-15413. Zenoss Core hasta 5 Beta 3 utiliza un algoritmo débil para crear hashes de contraseñas, lo que facilita a atacantes dependientes de contexto obtener valores en texto plano a través de un ataque de fuerza bruta sobre los valores de hash, también conocido como ZEN-15413. • http://www.kb.cert.org/vuls/id/449452 https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing • CWE-255: Credentials Management Errors •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-3739
https://notcve.org/view.php?id=CVE-2014-3739
Open redirect vulnerability in zport/acl_users/cookieAuthHelper/login_form in Zenoss 4.2.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the came_from parameter. Vulnerabilidad de redirección abierta en zport/acl_users/cookieAuthHelper/login_form en Zenoss 4.2.5 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL an el parámetro came_from. • http://www.openwall.com/lists/oss-security/2014/05/14/5 http://www.openwall.com/lists/oss-security/2014/05/15/5 http://www.securityfocus.com/bid/67396 https://www.youtube.com/watch?v=wtmdsz24evo • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4CVE-2014-3738 – Zenoss Monitoring System 4.2.5-2108 (x64) - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3738
Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the title of a device. Vulnerabilidad de XSS en Zenoss 4.2.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del título de un dispositivo. Zenoss Monitoring System version 4.2.5-2108 64-bit suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/34165 http://packetstormsecurity.com/files/127623/Zenoss-Monitoring-System-4.2.5-2108-Cross-Site-Scripting.html http://www.exploit-db.com/exploits/34165 http://www.openwall.com/lists/oss-security/2014/05/14/5 http://www.openwall.com/lists/oss-security/2014/05/15/5 http://www.securityfocus.com/bid/67396 https://www.youtube.com/watch?v=wtmdsz24evo • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 2CVE-2010-0712 – Zenoss 2.3.3 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2010-0712
Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters. Múltiples vulnerabilidades de inyección SQL en zport/dmd/Events/getJSONEventsInfo en Zenoss v2.3.3 y otras versiones anteriores a v2.5, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) severity, (2) state, (3) filter, (4) offset, and (5) count. • https://www.exploit-db.com/exploits/33511 http://dev.zenoss.org/trac/changeset/15257 http://osvdb.org/61804 http://secunia.com/advisories/38195 http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-001-zenoss-getjsoneventsinfo-sql-injection http://www.securityfocus.com/bid/37802 http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html https://exchange.xforce.ibmcloud.com/vulnerabilities/55670 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 4%CPEs: 5EXPL: 2CVE-2010-0713 – Zenoss 2.3.3 - Multiple Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-0713
Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss 2.3.3, and other versions before 2.5, allow remote attackers to hijack the authentication of an administrator for (1) requests that reset user passwords via zport/dmd/ZenUsers/admin, and (2) requests that change user commands, which allows for remote execution of system commands via zport/dmd/userCommands/. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Zenoss v2.3.3, y otras versiones anteriores a v2.5, permite a atacantes remotos secuestrar la autenticación de las peticiones de administradores para (1) peticiones que reinicializan la contraseña de los usuarios a través de zport/dmd/ZenUsers/admin, y (2) peticiones que modifican comandos de usuario, lo que permite ejecuciones de comandos del sistema mediante zport/dmd/userCommands/ • https://www.exploit-db.com/exploits/33536 http://osvdb.org/61805 http://secunia.com/advisories/38195 http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-002-zenoss-multiple-admin-csrf http://www.securityfocus.com/archive/1/508982/100/0/threaded http://www.securityfocus.com/bid/37843 http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html • CWE-352: Cross-Site Request Forgery (CSRF) •