CVE-2019-16286 – HP ThinPro 6.x / 7.x Filter Bypass
https://notcve.org/view.php?id=CVE-2019-16286
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands. Un atacante puede ser capaz de omitir el filtro de aplicación del sistema operativo destinado a restringir las aplicaciones que pueden ser ejecutadas mediante el cambio de las preferencias del navegador para iniciar un proceso separado que a su vez puede ejecutar comandos arbitrarios. HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from an application filter bypass vulnerability. • http://packetstormsecurity.com/files/156898/HP-ThinPro-6.x-7.x-Filter-Bypass.html http://seclists.org/fulldisclosure/2020/Mar/37 https://support.hp.com/us-en/document/c06509350 • CWE-287: Improper Authentication •
CVE-2019-16285 – HP ThinPro 6.x / 7.x Information Disclosure
https://notcve.org/view.php?id=CVE-2019-16285
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive. Si un usuario local se configuró e inició sesión, un atacante no autenticado con acceso físico puede extraer información confidencial en una unidad local. HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a local physical access information disclosure vulnerability. • http://packetstormsecurity.com/files/156895/HP-ThinPro-6.x-7.x-Information-Disclosure.html http://seclists.org/fulldisclosure/2020/Mar/30 https://support.hp.com/us-en/document/c06509350 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-18909 – HP ThinPro 6.x / 7.x Citrix Command Injection
https://notcve.org/view.php?id=CVE-2019-18909
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges. El software VPN dentro de HP ThinPro no maneja de forma segura la entrada suministrada por parte el usuario, lo que puede ser aprovechado por un atacante para inyectar comandos que se ejecutarán con privilegios de root. HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a Citrix receiver connection wrapper command injection vulnerability. • http://packetstormsecurity.com/files/156907/HP-ThinPro-6.x-7.x-Citrix-Command-Injection.html http://seclists.org/fulldisclosure/2020/Mar/39 https://support.hp.com/us-en/document/c06509350 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2015-2124
https://notcve.org/view.php?id=CVE-2015-2124
Unspecified vulnerability in Easy Setup Wizard in HP ThinPro Linux 4.1 through 5.1 and Smart Zero Core 4.3 and 4.4 allows local users to bypass intended access restrictions and gain privileges via unknown vectors. Vulnerabilidad no especificada en Easy Setup Wizard en HP ThinPro Linux 4.1 hasta 5.1 y Smart Zero Core 4.3 y 4.4 permite a usuarios locales evadir las restricciones de acceso y ganar privilegios a través de vectores desconocidos. • http://www.securityfocus.com/bid/74897 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04692275 •