CVE-2014-100029 – GDL 4.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-100029
Multiple directory traversal vulnerabilities in class/session.php in Ganesha Digital Library (GDL) 4.2 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) newlang or (2) newtheme parameter. Múltiples vulnerabilidades de salto de directorio en class/session.php en Ganesha Digital Library (GDL) 4.2 permiten a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro (1) newlang o (2) newtheme. • https://www.exploit-db.com/exploits/31961 http://packetstormsecurity.com/files/125464 https://exchange.xforce.ibmcloud.com/vulnerabilities/91555 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2013-4733
https://notcve.org/view.php?id=CVE-2013-4733
The web server on the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 allows remote attackers to obtain sensitive configuration and status information by reading log files. El servidor web en el dispositivo Digital Alert Systems DASDEC EAS anterior a v2.0-2 y el dispositivo Monroe Electronics R189 One-Net EAS anterior a v2.0-2 permite a atacantes remotos obtener información sensible e información sobre el estado mediante la lectura de ficheros de log. • http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf http://www.kb.cert.org/vuls/id/662676 http://www.kb.cert.org/vuls/id/AAMN-98MU7H http://www.kb.cert.org/vuls/id/AAMN-98MUK2 http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-0137
https://notcve.org/view.php?id=CVE-2013-0137
The default configuration of the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 contains a known SSH private key, which makes it easier for remote attackers to obtain root access, and spoof alerts, via an SSH session. La configuración por defecto del dispositivo Digital Alert Systems DASDEC EAS hasta v2.0-2 y el dispositivo Monroe Electronics R189 One-Net hasta v2.0-2 contiene un clave SSH privada conocida, lo que hace que sea más fácil para un atacante remoto obtener acceso como root y falsificar alertas, a través de una sesión SSH. • http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf http://www.kb.cert.org/vuls/id/662676 http://www.kb.cert.org/vuls/id/AAMN-98MU7H http://www.kb.cert.org/vuls/id/AAMN-98MUK2 http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable • CWE-310: Cryptographic Issues •
CVE-2013-4734
https://notcve.org/view.php?id=CVE-2013-4734
dasdec_mkuser on the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 generates predictable passwords, which might make it easier for attackers to obtain non-administrative access via unspecified vectors. dasdec_mkuser en el dispositivo Digital Alert Systems DASDEC EAS anterior a v2.0-2 y el dispositivo Monroe Electronics R189 One-Net EAS anterior a v2.0-2 genera contraseñas previsibles, lo que podría hacer más fácil para los atacantes obtengan acceso no administrativo a través de vectores no especificados. • http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf http://www.kb.cert.org/vuls/id/662676 http://www.kb.cert.org/vuls/id/AAMN-98MU7H http://www.kb.cert.org/vuls/id/AAMN-98MUK2 http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf •
CVE-2013-4732
https://notcve.org/view.php?id=CVE-2013-4732
The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding. ** EN DISPUTA ** El servidor Web de administración del dispositivo Digital Alert Systems DASDEC EAS hasta v2.0-2 y el dispositivo Monroe Electronics R189 One-Net hasta v2.0-2 use un ID de sesión predecible, lo que permite a los atacantes remotos secuestrar la sesión de los usuarios mediante EAS utiliza valores de ID de sesión predecibles, lo que hace que sea más fácil para los atacantes remotos secuestrar sesiones mediante la captura de datos de red ("sniffing"). NOTA: VU#662676 dice que. Monroe Electronics no puede reproducir este hallazgo" • http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf http://www.kb.cert.org/vuls/id/662676 http://www.kb.cert.org/vuls/id/AAMN-98MU7H http://www.kb.cert.org/vuls/id/AAMN-98MUK2 http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf • CWE-255: Credentials Management Errors •