CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5315
https://notcve.org/view.php?id=CVE-2019-5315
A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. This vulnerability only affects ArubaOS 8.x. Una vulnerabilidad de inyección de comandos está presente en la interfaz de administración web de ArubaOS, lo que permite a un usuario autenticado ejecutar comandos arbitrarios sobre el sistema operativo subyacente. Un administrador malicioso podría utilizar esta capacidad para instalar puertas traseras (backdoors) o cambiar la configuración del sistema de una manera tal que no se registraría. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-004.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-5314
https://notcve.org/view.php?id=CVE-2019-5314
Some web components in the ArubaOS software are vulnerable to HTTP Response splitting (CRLF injection) and Reflected XSS. An attacker would be able to accomplish this by sending certain URL parameters that would trigger this vulnerability. Algunos componentes web en el software ArubaOS son susceptibles a vulnerabilidades de división de respuesta HTTP (inyección CRLF) y de tipo XSS Reflejado. Un atacante podría ser capaz de lograr esto mediante el envío de determinados parámetros URL que desencadenarían esta vulnerabilidad. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-004.txt • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 1%CPEs: 6EXPL: 1CVE-2018-7081
https://notcve.org/view.php?id=CVE-2018-7081
A remote code execution vulnerability is present in network-listening components in some versions of ArubaOS. An attacker with the ability to transmit specially-crafted IP traffic to a mobility controller could exploit this vulnerability and cause a process crash or to execute arbitrary code within the underlying operating system with full system privileges. Such an attack could lead to complete system compromise. The ability to transmit traffic to an IP interface on the mobility controller is required to carry out an attack. The attack leverages the PAPI protocol (UDP port 8211). • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-004.txt https://x-c3ll.github.io/posts/CVE-2018-7081-RCE-ArubaOS • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2018-7084
https://notcve.org/view.php?id=CVE-2018-7084
A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary system commands within the underlying operating system. An attacker could use this ability to copy files, read configuration, write files, delete files, or reboot the device. Workaround: Block access to the Aruba Instant web interface from all untrusted users. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.1 Existe una vulnerabilidad de inyección de comandos que permite a un usuario no autenticado con acceso a la interfaz web de Aruba Instant ejecutar comandos arbitrarios del sistema dentro del sistema operativo subyacente. Un atacante podría utilizar esta capacidad para copiar archivos, leer la configuración, escribir archivos, eliminar archivos o reiniciar el dispositivo. • http://www.securityfocus.com/bid/108374 https://cert-portal.siemens.com/productcert/pdf/ssa-549547.pdf https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-001.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-7064
https://notcve.org/view.php?id=CVE-2018-7064
A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from external sources while logged into the IAP administrative interface. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Una vulnerabilidad de XSS reflejado está presente en una interfaz web de Aruba Instant no autenticada. Un atacante podría utilizar esta vulnerabilidad para engañar a un administrador de IAP para que haga clic en un enlace que podría realizar acciones administrativas en el clúster Instantáneo, o exponer la cookie de sesión para una sesión administrativa. • http://www.securityfocus.com/bid/108374 https://cert-portal.siemens.com/productcert/pdf/ssa-549547.pdf https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-001.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •