CVSS: 7.8EPSS: 6%CPEs: 1EXPL: 2CVE-2018-20735 – BMC Patrol Agent - Privilege Escalation Code Execution Execution
https://notcve.org/view.php?id=CVE-2018-20735
An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. • https://www.exploit-db.com/exploits/46556 https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2018-18862 – BMC Remedy / ITAM 7.1.00 / 9.1.02.003 Information Disclosure
https://notcve.org/view.php?id=CVE-2018-18862
BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/. BMC Remedy Mid-Tier 7.1.00 y 9.1.02.003 para BMC Remedy AR System tiene un control de acceso incorrecto en los formularios ITAM, tal y como queda demostrado por TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/ y AR+System+Administration%3A+Server+Information/Default+Admin+View/. BMC Remedy and ITAM versions 7.1.00 and 9.1.02.003 suffer from multiple information disclosure vulnerabilities. • http://packetstormsecurity.com/files/151021/BMC-Remedy-ITAM-7.1.00-9.1.02.003-Information-Disclosure.html http://seclists.org/fulldisclosure/2019/Jan/11 https://docs.bmc.com/docs/ars91/en/release-notes-and-notices-609073037.html • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19505 – BMC Remedy 7.1 User Impersonation
https://notcve.org/view.php?id=CVE-2018-19505
Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user, because userdata.js in the WOI:WorkOrderConsole component allows a username substitution involving a UserData_Init call. En la versión 7.1 de BMC Remedy, Remedy AR System Server podría no lograr establecer el contexto de usuario correcto en determinados escenarios de suplantación, lo que podría permitir a un usuario actuar con la identidad de otro usuario debido a que userdata.js en el componente WOI:WorkOrderConsole permite una sustitución del nombre de usuario que implica una llamada UserData_Init. An impersonation issue in BMC Remedy version 7.1 may lead to incorrect user context in Remedy AR System Server. • http://packetstormsecurity.com/files/150492/BMC-Remedy-7.1-User-Impersonation.html http://seclists.org/fulldisclosure/2018/Nov/62 http://www.securitytracker.com/id/1042177 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2015-9257
https://notcve.org/view.php?id=CVE-2015-9257
BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 hot fix 1 has persistent XSS. BMC Remedy Action Request (AR) System en versiones 9.0 anteriores a la 9.0.00 Service Pack 2 hot fix 1 contiene Cross-Site Scripting (XSS) persistente. • https://docs.bmc.com/docs/display/public/ars9000/Cross+site+scripting+%28XSS%29+in+Remedy+9.0%2C+9.0+Service+Pack+1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18228
https://notcve.org/view.php?id=CVE-2017-18228
Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey parameter in an arsys/servlet/AttachServlet request. Remedy Mid Tier en BMC Remedy AR System 9.1 permite Cross-Site Scripting (XSS) mediante el parámetro ATTKey en una petición arsys/servlet/AttachServlet. • https://communities.bmc.com/thread/164169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •