3 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0

A Cross-Site Request Forgery (CSRF) vulnerability affecting Teamwork Cloud from No Magic Release 2021x through No Magic Release 2022x could allow with some very specific conditions an attacker to send a specifically crafted query to the server. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) que afecta a Teamwork Cloud desde No Magic Release 2021x hasta No Magic Release 2022x podría permitir, con algunas condiciones muy específicas, que un atacante envíe una consulta específicamente manipulada al servidor. • https://www.3ds.com/vulnerability/advisories • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0

A stored Cross-site Scripting (XSS) vulnerability affecting Teamwork Cloud from No Magic Release 2021x through No Magic Release 2022x allows an attacker to execute arbitrary script code. Una vulnerabilidad de Cross-Site Scripting (XSS) almacenado que afecta a Teamwork Cloud desde No Magic Release 2021x hasta No Magic Release 2022x permite a un atacante ejecutar scripts de comandos arbitrarios. • https://www.3ds.com/vulnerability/advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1

An incorrect permission assignment during the installation script of TeamworkCloud 18.0 thru 19.0 allows a local unprivileged attacker to execute arbitrary code as root. During installation, the user is instructed to set the system enviroment file with world writable permissions (0777 /etc/environment). Any local unprivileged user can execute arbitrary code simply by writing to /etc/environment, which will force all users, including root, to execute arbitrary code during the next login or reboot. In addition, the entire home directory of the twcloud user at /home/twcloud is recursively given world writable permissions. This allows any local unprivileged attacker to execute arbitrary code, as twcloud. • https://community.nomagic.com/finding-and-fixing-wrong-file-permission-twc-installation-t7165.html https://docs.nomagic.com/display/TWCloud190/Installation+on+Linux+using+scripts https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-002.md https://sick.codes/finding-a-vulnerability-in-teamwork-cloud-server-nomagic-3ds-which-is-used-by-gov-enterprise-to-design-rockets-missiles-and-satellites https://sick.codes/sick-2020-002 https://web.archive.org/web/20201219095507/https://docs.nomagic.com • CWE-732: Incorrect Permission Assignment for Critical Resource •