CVE-2021-26962
https://notcve.org/view.php?id=CVE-2021-26962
A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to full system compromise. Se detectó una vulnerabilidad de ejecución de comandos arbitraria autenticada remota en Aruba AirWave Management Platform versiones: anteriores a 8.2.12.0. Unas vulnerabilidades en la CLI de AirWave podrían permitir a usuarios autenticados remotos ejecutar comandos arbitrarios en el host subyacente. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-005.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-26961
https://notcve.org/view.php?id=CVE-2021-26961
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. Se detectó una vulnerabilidad de tipo cross-site request forgery (csrf) remotos no autenticados en Aruba AirWave Management Platform versiones: anteriores a 8.2.12.0. Una vulnerabilidad en la interfaz de administración basada en web de AirWave podría permitir a un atacante remoto no autenticado conducir un ataque CSRF contra un sistema vulnerable. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-005.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-5326
https://notcve.org/view.php?id=CVE-2019-5326
An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform. This is possible due to the ability to overwrite a file on disk which is subsequently deserialized by the Java application component. Un usuario de aplicación administrativa o un usuario de aplicación con acceso de escritura en Aruba Airwave VisualRF es capaz de obtener una ejecución de código en la plataforma AMP. Esto es posible debido a la capacidad de sobrescribir un archivo en el disco que posteriormente es deserializado por el componente de aplicación Java. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-002.txt • CWE-502: Deserialization of Untrusted Data •
CVE-2019-5323
https://notcve.org/view.php?id=CVE-2019-5323
There are command injection vulnerabilities present in the AirWave application. Certain input fields controlled by an administrative user are not properly sanitized before being parsed by AirWave. If conditions are met, an attacker can obtain command execution on the host. Se presentan vulnerabilidades de inyección de comando presentes en la aplicación Airwave. Determinados campos de entrada controlados por un usuario administrativo no son saneados apropiadamente antes de ser analizados por Airwave. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-002.txt • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-8527 – Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-8527
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser. Aruba Airwave, en todas las versiones hasta la 8.2.3.1 (no incluida), es vulnerable a Cross-Site Scripting (XSS) reflejado. • https://www.exploit-db.com/exploits/41482 http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt http://www.securityfocus.com/bid/96495 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •