CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26962
https://notcve.org/view.php?id=CVE-2021-26962
A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to full system compromise. Se detectó una vulnerabilidad de ejecución de comandos arbitraria autenticada remota en Aruba AirWave Management Platform versiones: anteriores a 8.2.12.0. Unas vulnerabilidades en la CLI de AirWave podrían permitir a usuarios autenticados remotos ejecutar comandos arbitrarios en el host subyacente. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-005.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26961
https://notcve.org/view.php?id=CVE-2021-26961
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. Se detectó una vulnerabilidad de tipo cross-site request forgery (csrf) remotos no autenticados en Aruba AirWave Management Platform versiones: anteriores a 8.2.12.0. Una vulnerabilidad en la interfaz de administración basada en web de AirWave podría permitir a un atacante remoto no autenticado conducir un ataque CSRF contra un sistema vulnerable. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-005.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5326
https://notcve.org/view.php?id=CVE-2019-5326
An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform. This is possible due to the ability to overwrite a file on disk which is subsequently deserialized by the Java application component. Un usuario de aplicación administrativa o un usuario de aplicación con acceso de escritura en Aruba Airwave VisualRF es capaz de obtener una ejecución de código en la plataforma AMP. Esto es posible debido a la capacidad de sobrescribir un archivo en el disco que posteriormente es deserializado por el componente de aplicación Java. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-002.txt • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5323
https://notcve.org/view.php?id=CVE-2019-5323
There are command injection vulnerabilities present in the AirWave application. Certain input fields controlled by an administrative user are not properly sanitized before being parsed by AirWave. If conditions are met, an attacker can obtain command execution on the host. Se presentan vulnerabilidades de inyección de comando presentes en la aplicación Airwave. Determinados campos de entrada controlados por un usuario administrativo no son saneados apropiadamente antes de ser analizados por Airwave. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-002.txt • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-8526 – Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-8526
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. • https://www.exploit-db.com/exploits/41482 http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt http://www.securityfocus.com/bid/96495 • CWE-611: Improper Restriction of XML External Entity Reference •