CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-25066 – ajenti API privileges management
https://notcve.org/view.php?id=CVE-2019-25066
09 Jun 2022 — A vulnerability has been found in ajenti 2.1.31 and classified as critical. This vulnerability affects unknown code of the component API. The manipulation leads to privilege escalation. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 2CVE-2018-18548 – AjentiCP 1.2.23.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18548
22 Oct 2018 — ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager. ajenticp (también conocido como panel de control de Ajenti Docker) para Ajenti hasta la versión v1.2.23.13 tiene Cross-Site Scripting (XSS) mediante un nombre de archivo que se gestiona de manera incorrecta en File Manager. AjentiCP versions 1.2.23.13 and below suffer from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/149898 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000126
https://notcve.org/view.php?id=CVE-2018-1000126
13 Mar 2018 — Ajenti version 2 contains an Information Disclosure vulnerability in Line 176 of the code source that can result in user and system enumeration as well as data from the /etc/ajenti/config.yml file. This attack appears to be exploitable via network connectivity to the web application. La versión 2 de Ajenti contiene una vulnerabilidad de divulgación de información en la línea 176 de la fuente de código que puede resultar en el listado de usuarios y sistemas, así como de datos del archivo /etc/ajenti/config.y... • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000083
https://notcve.org/view.php?id=CVE-2018-1000083
13 Mar 2018 — Ajenti version version 2 contains a Improper Error Handling vulnerability in Login JSON request that can result in The requisition leaks a path of the server. This attack appear to be exploitable via By sending a malformed JSON, the tool responds with a traceback error that leaks a path of the server. Ajenti, versión 2, contiene una vulnerabilidad de gestión incorrecta de errores en la petición JSON Login que puede resultar en que la requisición filtre una ruta del servidor. El ataque parece ser explotable ... • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000081
https://notcve.org/view.php?id=CVE-2018-1000081
13 Mar 2018 — Ajenti version version 2 contains a Input Validation vulnerability in ID string on Get-values POST request that can result in Server Crashing. This attack appear to be exploitable via An attacker can freeze te server by sending a giant string to the ID parameter .. La versión 2 de Ajenti contiene una vulnerabilidad de validación de entradas en la cadena ID en la petición POST Get-values que puede resultar en el cierre inesperado del servidor. El ataque parece ser explotable, ya que un atacante puede bloquea... • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000080
https://notcve.org/view.php?id=CVE-2018-1000080
13 Mar 2018 — Ajenti version version 2 contains a Insecure Permissions vulnerability in Plugins download that can result in The download of any plugins as being a normal user. This attack appear to be exploitable via By knowing how the requisition is made, and sending it as a normal user, the server, in response, downloads the plugin. La versión 2 de Ajenti contiene una vulnerabilidad de permisos inseguros en la descarga de plugins que puede resultar en la descarga de cualquier plugin como un usuario normal. El ataque pa... • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000082
https://notcve.org/view.php?id=CVE-2018-1000082
13 Mar 2018 — Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed.. La versión 2 de Ajenti contiene una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el ... • https://medium.com/stolabs/security-issues-on-ajenti-d2b7526eaeee • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 22EXPL: 2CVE-2014-4301
https://notcve.org/view.php?id=CVE-2014-4301
18 Jun 2014 — Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page. Múltiples vulnerabilidades de XSS en la función respond_error en routing.py en Eugene Pankov Ajenti anterior a 1.2.21.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a... • http://secunia.com/advisories/59177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2014-2260
https://notcve.org/view.php?id=CVE-2014-2260
30 Apr 2014 — Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality. Vulnerabilidad de XSS en plugins/main/content/js/ajenti.coffee en Eugene Pankov Ajenti 1.2.13 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través del campo command en la funcionalidad Cron. • http://packetstormsecurity.com/files/124804/Ajenti-1.2.13-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •