CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38496 – Symantec Privileged Access Manager Insecure Direct Object Reference vulnerability
https://notcve.org/view.php?id=CVE-2024-38496
The vulnerability allows a malicious low-privileged PAM user to access information about other PAM users and their group memberships. La vulnerabilidad permite que un usuario malicioso de PAM con pocos privilegios acceda a información sobre otros usuarios de PAM y sus membresías grupales. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38495 – Symantec Privileged Access Manager User Enumeration vulnerability
https://notcve.org/view.php?id=CVE-2024-38495
A specific authentication strategy allows a malicious attacker to learn ids of all PAM users defined in its database. Una estrategia de autenticación específica permite a un atacante malintencionado conocer los identificadores de todos los usuarios de PAM definidos en su base de datos. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38494 – Symantec Privileged Access Manager Remote Command Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-38494
This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request. Esta vulnerabilidad permite a un usuario de PAM autenticado con altos privilegios lograr la ejecución remota de comandos en el sistema PAM afectado enviando una solicitud HTTP especialmente manipulada. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38493 – Symantec Privileged Access Manager Reflected Cross Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-38493
A reflected cross-site scripting (XSS) vulnerability exists in the PAM UI web interface. A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI. Existe una vulnerabilidad cross-site scripting (XSS) reflejada en la interfaz web de PAM UI. Un atacante remoto capaz de convencer a un usuario de PAM para que haga clic en un enlace especialmente manipulado a la interfaz web de PAM UI podría potencialmente ejecutar código arbitrario del lado del cliente en el contexto de PAM UI. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38492 – Symantec Privileged Access Manager Remote Command Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-38492
This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. Esta vulnerabilidad permite a un atacante no autenticado lograr la ejecución remota de comandos en el sistema PAM afectado cargando un archivo de actualización de PAM especialmente manipulado. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •