CVE-2014-8420 – Dell Sonicwall GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-8420
The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors. La aplicación web ViewPoint en Dell SonicWALL Global Management System (GMS) anterior a 7.2 SP2, SonicWALL Analyzer anterior a 7.2 SP2, y SonicWALL UMA anterior a 7.2 SP2 permite a usuarios remotos autenticados ejecutar código arbitrario a través de vectores no especificados. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Dell SonicWALL Global Management System (GMS) virtual appliance. Authentication is required to exploit this vulnerability. The specific flaw exists within the GMS ViewPoint (GMSVP) web application. The issue lies in the handling of configuration input due to a failure to safely sanitize user data before executing a command. • http://www.securityfocus.com/bid/71241 http://www.zerodayinitiative.com/advisories/ZDI-14-385 https://exchange.xforce.ibmcloud.com/vulnerabilities/98911 https://support.software.dell.com/product-notification/136814 • CWE-20: Improper Input Validation •
CVE-2014-5024
https://notcve.org/view.php?id=CVE-2014-5024
Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell SonicWALL GMS, Analyzer, and UMA before 7.2 SP1 allows remote attackers to inject arbitrary web script or HTML via the node_id parameter. Vulnerabilidad de XSS en sgms/panelManager en Dell SonicWALL GMS, Analyzer y UMA anterior a 7.2 SP1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrario a través del parámetro node_id. • http://packetstormsecurity.com/files/127575/SonicWALL-GMS-7.2-Build-7221.1701-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Jul/125 http://secunia.com/advisories/60287 http://www.securityfocus.com/bid/68829 https://support.software.dell.com/product-notification/128245 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0332 – DELL SonicWALL Universal Management Suite 7.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-0332
Cross-site scripting (XSS) vulnerability in mainPage in Dell SonicWALL GMS before 7.1 SP2, SonicWALL Analyzer before 7.1 SP2, and SonicWALL UMA E5000 before 7.1 SP2 might allow remote attackers to inject arbitrary web script or HTML via the node_id parameter in a ScreenDisplayManager genNetwork action. Vulnerabilidad de XSS en mainPage en Dell SonicWALL GMS anterior a 7.1 SP2, SonicWALL Analyzer anterior a 7.1 SP2 y SonicWALL UMA E5000 anterior a 7.1 SP2 podría permitir a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro node_id en una acción ScreenDisplayManager genNetwork. DELL SonicWALL Universal Management Suite version 7.x suffers from a cross site scripting vulnerability. • http://osvdb.org/103216 http://www.kb.cert.org/vuls/id/727318 http://www.securityfocus.com/bid/65498 http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_XSS_Resolved_in_7.1_SP2_and_7.2.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/91062 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-7025 – SonicWALL Gms 7.x - Filter Bypass / Persistent
https://notcve.org/view.php?id=CVE-2013-7025
Multiple cross-site scripting (XSS) vulnerabilities in ematStaticAlertTypes.jsp in the Alert Settings section in Dell SonicWALL Global Management System (GMS), Analyzer, and UMA EM5000 7.1 SP1 before Hotfix 134235 allow remote authenticated users to inject arbitrary web script or HTML via the (1) valfield_1 or (2) value_1 parameter to createNewThreshold.jsp. Múltiples vulnerabilidades XSS en ematStaticAlertTypes.jsp en la sección de ajustes de alertas en Dell SonicWALL Global Management System (GMS), Analyzer, y UMA EM5000 7.1 SP1 anterior al Hotfix 134235 permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML arbitrarias a través de los parámetros (1) valfield_1 o (2) value_1 a createNewThreshold.jsp. • https://www.exploit-db.com/exploits/30054 http://archives.neohapsis.com/archives/bugtraq/2013-12/0022.html http://osvdb.org/100610 http://seclists.org/fulldisclosure/2013/Dec/32 http://secunia.com/advisories/55923 http://www.exploit-db.com/exploits/30054 http://www.securityfocus.com/bid/64103 http://www.securitytracker.com/id/1029433 http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf http://www.vulnerability-lab.com/get_content.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-1359 – SonicWALL Gms 6 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2013-1359
An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account. Se presenta una Vulnerabilidad de Omisión de Autenticación en DELL SonicWALL Analyzer versión 7.0, Global Management System (GMS) versiones 4.1, 5.0, 5.1, 6.0 y 7.0; Universal Management Appliance (UMA) versiones 5.1, 6.0 y 7.0 y ViewPoint versiones 4.1, 5.0, 5.1 y 6.0 por medio del parámetro skipSessionCheck en la interfaz UMA (/appliance/), lo que podría permitir a un usuario malicioso remoto obtener acceso a la cuenta root. • https://www.exploit-db.com/exploits/24322 https://www.exploit-db.com/exploits/24204 http://www.exploit-db.com/exploits/24204 http://www.exploit-db.com/exploits/24322 http://www.securityfocus.com/bid/57445 http://www.securitytracker.com/id/1028007 https://exchange.xforce.ibmcloud.com/vulnerabilities/81367 https://fortiguard.com/encyclopedia/ips/35264/multiple-sonicwall-products-authentication-bypass-vulns https://packetstormsecurity.com/files/author/7547 https://seclists.org/fulldisclosure/2013 • CWE-287: Improper Authentication •