4 results (0.005 seconds)

CVSS: 7.5EPSS: 9%CPEs: 1EXPL: 4

The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges. El parámetro reportId del método de la acción getReportStatus puede ser violado en la interfaz web en Kaspersky Anti-Virus para Linux File Server anterior al paquete de mantenimiento 2 corrección crítica 4 (versión 8.0.4.312), para leer archivos arbitrarios con privilegios kluser. Kaspersky Anti-Virus for Linux File Server version 8.0.3.297 suffers from remote code execution, cross site request forgery, cross site scripting, security bypass, information disclosure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/42269 http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html http://seclists.org/fulldisclosure/2017/Jun/33 http://www.securityfocus.com/bid/99330 http://www.securitytracker.com/id/1038798 https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilities • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 4

There are no Anti-CSRF tokens in any forms on the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. No existen tokens Anti-CSRF en ningún formulario en la interfaz web en Kaspersky Anti-Virus para Linux File Server anterior al paquete de mantenimiento 2 corrección crítica 4 (versión 8.0.4.312). Esto permitiría a un atacante enviar peticiones autenticadas cuando un usuario autenticado navega en un dominio controlado por un atacante. Kaspersky Anti-Virus for Linux File Server version 8.0.3.297 suffers from remote code execution, cross site request forgery, cross site scripting, security bypass, information disclosure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/42269 http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html http://seclists.org/fulldisclosure/2017/Jun/33 http://www.securityfocus.com/bid/99330 http://www.securitytracker.com/id/1038798 https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 4

The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine read and write operations, it is possible to elevate the privileges to root. El kluser es capaz de interactuar con el binario kav4fs-control en Kaspersky Anti-Virus para Linux File Server anterior al paquete de mantenimiento 2 corrección crítica 4 (versión 8.0.4.312). Al violar las operaciones de lectura y escritura en cuarentena, es posible elevar los privilegios a root. Kaspersky Anti-Virus for Linux File Server version 8.0.3.297 suffers from remote code execution, cross site request forgery, cross site scripting, security bypass, information disclosure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/42269 http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html http://seclists.org/fulldisclosure/2017/Jun/33 http://www.securityfocus.com/bid/99330 http://www.securitytracker.com/id/1038798 https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilities • CWE-20: Improper Input Validation •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 4

In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312), the scriptName parameter of the licenseKeyInfo action method is vulnerable to cross-site scripting (XSS). En Kaspersky Anti-Virus para Linux File Server anterior al paquete de mantenimiento 2 corrección crítica 4 (versión 8.0.4.312), el parámetro scriptName del método de acción licenseKeyInfo es vulnerable a un problema de tipo cross-site scripting (XSS). Kaspersky Anti-Virus for Linux File Server version 8.0.3.297 suffers from remote code execution, cross site request forgery, cross site scripting, security bypass, information disclosure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/42269 http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html http://seclists.org/fulldisclosure/2017/Jun/33 http://www.securityfocus.com/bid/99330 http://www.securitytracker.com/id/1038798 https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •