3 results (0.007 seconds)

CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0

18 Mar 2024 — Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200. La falta de sanitización de entradas en las ramas 9.0.20 y 9.0.21 de BMC Control-M p... • https://cert.pl/en/posts/2024/03/CVE-2024-1604 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0

18 Mar 2024 — BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201. BMC Control-M ramificaciones 9.0.20 y 9.0.21 al iniciar sesión el usuario carga todas las librerías de víncu... • https://cert.pl/en/posts/2024/03/CVE-2024-1604 • CWE-276: Incorrect Default Permissions CWE-284: Improper Access Control •

CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0

18 Mar 2024 — Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201. La autorización inadecuada en el módulo de creación y ges... • https://cert.pl/en/posts/2024/03/CVE-2024-1604 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •