CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 2CVE-2022-34125 – GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin
https://notcve.org/view.php?id=CVE-2022-34125
03 Apr 2023 — front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter. GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability. • https://packetstorm.news/files/id/171655 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 7.8EPSS: 12%CPEs: 1EXPL: 0CVE-2022-1401 – Insufficient validation of provided paths in Exago WrImageResource.axd
https://notcve.org/view.php?id=CVE-2022-1401
16 Aug 2022 — Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00. Una vulnerabilidad de Control de Acceso Inapropiado en la ruta /Exago/WrImageResource.adx usada en Device42 Asset Management Appliance permite a un atacante no autenticado leer archivos confidenciales del servidor con permisos root. Est... • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1410 – Remote Code Execution in Device42 ApplianceManager console
https://notcve.org/view.php?id=CVE-2022-1410
16 Aug 2022 — OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions. Una vulnerabilidad de Inyección de Comandos del Sistema Operativo en el componente db_optimize de Device42 Asset Management Appliance permite a un atacante autenticado ejecutar código remoto en el dispositivo. Este problema afecta: Device42 CMDB versión 18.01.00 y ve... • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1400 – Hardcoded encryption key IV in Exago WebReportsApi.dll
https://notcve.org/view.php?id=CVE-2022-1400
16 Aug 2022 — Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00. Un uso de una vulnerabilidad de Clave Criptográfica Embebida en el archivo WebReportsApi.dll de Exago Web Reports, como es usado en el Device42 Asset Management Appliance, permite a un atacante filtrar los ID de sesión y elevar privilegio... • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1399 – Remote code execution in scheduled tasks component
https://notcve.org/view.php?id=CVE-2022-1399
16 Aug 2022 — An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions. Una vulnerabilidad de Inyección o Modificación de Argumentos en el campo de nombre de usuario "Change Secret" usado en el componente Discovery de Device42 CMDB permite a un atacante local ejecutar código arbitrario... • https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •