CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2020-7142 – Hewlett Packard Enterprise Intelligent Management Center eventInfo_content Expression Language Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-7142
A eventinfo_content expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). Se detectó una vulnerabilidad de ejecución de código remota de una inyección de lenguaje de expresiones de eventinfo_content en HPE Intelligent Management Center (iMC): versión(es): anteriores a iMC PLAT 7.3 (E0705P07) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the eventInfo_content.xhtml endpoint. When parsing the beanName parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 5.9EPSS: 0%CPEs: 8EXPL: 0CVE-2019-4568
https://notcve.org/view.php?id=CVE-2019-4568
IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS could allow a remote attacker with intimate knowledge of the server to cause a denial of service when receiving data on the channel. IBM X-Force ID: 166629. IBM MQ e IBM MQ Appliance versiones 8.0 y 9.0 LTS, podrían permitir a un atacante remoto con un conocimiento íntimo del servidor causar una denegación de servicio cuando son recibidos datos en el canal. ID de IBM X-Force: 166629. • https://exchange.xforce.ibmcloud.com/vulnerabilities/166629 https://www.ibm.com/support/pages/node/1106517 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-19539
https://notcve.org/view.php?id=CVE-2019-19539
An issue was discovered in Idelji Web ViewPoint H01ABO-H01BY and L01ABP-L01ABZ, Web ViewPoint Plus H01AAG-H01AAQ and L01AAH-L01AAR, and Web ViewPoint Enterprise H01-H01AAE and L01-L01AAF. By reading ADB or AADB file content within the Installation subvolume, a Guardian user can discover the password of the group.user or alias who acknowledges events from the WVP Events screen. Se detectó un problema en Idelji Web ViewPoint versiones H01ABO-H01BY y L01ABP-L01ABZ, Web ViewPoint Plus versiones H01AAG-H01AAQ y L01AAH-L01AAR y Web ViewPoint Enterprise versiones H01-H01AAE y L01-L01AAF. Mediante la lectura del contenido del archivo ADB o AADB dentro del subvolumen Installation, un usuario Guardian puede descubrir la contraseña de group.user o el alias de quien reconoce los eventos desde la pantalla WVP Events. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03981en_us • CWE-522: Insufficiently Protected Credentials •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3683 – keystone_json_assignment backend granted access to any project for users in user-project-map.json
https://notcve.org/view.php?id=CVE-2019-3683
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations. El paquete keystone-json-assignment en SUSE Openstack Cloud versión 8 antes del commit d7888c75505465490250c00cc0ef4bb1af662f9f, a cada usuario listado en el archivo /etc/keystone/user-project-map.json se le fue asignado el rol completo "member" para cada proyecto. Esto permitió a estos usuarios acceder, modificar, crear y eliminar recursos arbitrarios, contrariamente a lo esperado. • https://bugzilla.suse.com/show_bug.cgi?id=1124864 https://www.suse.com/security/cve/CVE-2019-3683 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11997
https://notcve.org/view.php?id=CVE-2019-11997
A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. HPE has made the following software updates to resolve the vulnerability in eIUM. The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03975en_us • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •