CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1254
https://notcve.org/view.php?id=CVE-2018-1254
RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. RSA Authentication Manager Security Console en versiones 8.3 P1 y anteriores contiene una vulnerabilidad Cross-Site Scripting (XSS) reflejado. Un atacante remoto no autenticado podría explotar esta vulnerabilidad engañando a un administrador Security Console víctima para que proporcione código HTML o JavaScript malicioso a una aplicación web vulnerable, que se devuelve a la víctima y es ejecutado por el navegador web. • http://seclists.org/fulldisclosure/2018/Jun/39 http://www.securityfocus.com/bid/104534 http://www.securitytracker.com/id/1041134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1242
https://notcve.org/view.php?id=CVE-2018-1242
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI. An authenticated malicious user with boxmgmt privileges may potentially exploit this vulnerability to read RPA files. Note that files that require root permission cannot be read. Dell EMC RecoverPoint, en versiones anteriores a la 5.1.2 y RecoverPoint for VMs en versiones anteriores a la 5.1.1.3, contienen una vulnerabilidad de inyección de comandos en la interfaz de línea de comandos de Boxmgmt. Un usuario autenticado malicioso con privilegios boxmgmt podría explotar esta vulnerabilidad para leer archivos RPA. • http://seclists.org/fulldisclosure/2018/May/61 http://www.securityfocus.com/bid/104246 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 4%CPEs: 2EXPL: 2CVE-2018-1235 – Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution
https://notcve.org/view.php?id=CVE-2018-1235
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege. Dell EMC RecoverPoint, en versiones anteriores a la 5.1.2 y RecoverPoint for VMs en versiones anteriores a la 5.1.1.3, contienen una vulnerabilidad de inyección de comandos. Un atacante remoto no autenticado podría explotar esta vulnerabilidad para ejecutar comandos arbitrarios en el sistema afectado con privilegios root. Dell EMC RecoverPoint versions prior to 5.1.2 suffer from a remote root command execution vulnerability. • https://www.exploit-db.com/exploits/44920 https://github.com/AbsoZed/CVE-2018-1235 http://seclists.org/fulldisclosure/2018/May/61 http://www.securityfocus.com/bid/104246 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1241
https://notcve.org/view.php?id=CVE-2018-1241
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, under certain conditions, may leak LDAP password in plain-text into the RecoverPoint log file. An authenticated malicious user with access to the RecoverPoint log files may obtain the exposed LDAP password to use it in further attacks. Dell EMC RecoverPoint, en versiones anteriores a la 5.1.2 y RecoverPoint for VMs en versiones anteriores a la 5.1.1.3, podrían filtrar contraseñas LDAP en texto plano en el archivo de registro RecoverPoint. Un usuario autenticado malicioso con acceso a los archivos de registro de RecoverPoint podría obtener la contraseña LDAP expuesta para emplearla en más ataques. • http://seclists.org/fulldisclosure/2018/May/61 http://www.securityfocus.com/bid/104246 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1240
https://notcve.org/view.php?id=CVE-2018-1240
Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. VRRP defaults to an insecure configuration in Linux's keepalived component which sends the cluster password in plaintext through multicast. A malicious user, having access to the vCloud subnet where ViPR is deployed, could potentially sniff the password and use it to take over the cluster's virtual IP and cause a denial of service on that ViPR Controller system. Dell EMC ViPR Controller, en versiones posteriores a la 3.0.0.38, contiene una vulnerabilidad de fuga de información en el VRRP. VRRP se establece por defecto en una configuración insegura en el componente keepalived de Linux, que envía la contraseña del clúster en texto plano mediante multicast. • http://seclists.org/fulldisclosure/2018/Apr/29 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •