CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 1CVE-2014-5362 – Landesk Management Suite 9.5 RFI / CSRF
https://notcve.org/view.php?id=CVE-2014-5362
The admin interface in Landesk Management Suite 9.6 and earlier allows remote attackers to conduct remote file inclusion attacks involving ASPX pages from third-party sites via the d parameter to (1) ldms/sm_actionfrm.asp or (2) remote/frm_coremainfrm.aspx; or the (3) top parameter to remote/frm_splitfrm.aspx. La interfaz de administrador en Landesk Management Suite 9.6 y anteriores permite que los atacantes remotos lleven a cabo ataques de inclusión remota de archivos que involucren páginas ASPX de páginas externas a través del parámetro d en (1) ldms/sm_actionfrm.asp, (2) remote/frm_coremainfrm.aspx o el (3) parámetro top en remote/frm_splitfrm.aspx. Landesk Management Suite version 9.5 suffers from cross site request forgery and remote file inclusion vulnerabilities. • http://packetstormsecurity.com/files/131496/Landesk-Management-Suite-9.5-RFI-CSRF.html http://www.securityfocus.com/archive/1/535286/100/1100/threaded http://www.securityfocus.com/bid/74190 http://www.securitytracker.com/id/1032203 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-5361 – Landesk Management Suite 9.5 RFI / CSRF
https://notcve.org/view.php?id=CVE-2014-5361
Multiple cross-site request forgery (CSRF) vulnerabilities in Landesk Management Suite 9.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) start, (2) stop, or (3) restart services via a request to remote/serverServices.aspx. Múltiples vulnerabilidades de CSRF en Landesk Management Suite 9.6 y anteriores permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) inician, (2) paran o (3) reinician a través de una solicitud a remote/serverServices.aspx. Landesk Management Suite version 9.5 suffers from cross site request forgery and remote file inclusion vulnerabilities. • http://packetstormsecurity.com/files/131496/Landesk-Management-Suite-9.5-RFI-CSRF.html http://www.securityfocus.com/archive/1/535286/100/0/threaded • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-5360 – Landesk Management Suite 9.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-5360
Cross-site scripting (XSS) vulnerability in the admin interface in LANDESK Management Suite before 9.6 SP1 allows remote attackers to inject arbitrary web script or HTML via the AMTVersion parameter to remote/serverlist_grouptree.aspx. Vulnerabilidad de XSS en la interfaz de administración en LANDESK Management Suite anterior a 9.6 SP1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro AMTVersion en remote/serverlist_grouptree.aspx. Landesk Management Suite version 9.5 suffers from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2015/Feb/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 9%CPEs: 1EXPL: 2CVE-2012-1195 – LANDesk Lenovo ThinkManagement Console - Remote Command Execution
https://notcve.org/view.php?id=CVE-2012-1195
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a PutUpdateFileCore command in a RunAMTCommand SOAP request, then accessing the file via a direct request to the file in the web root. Vulnerabilidad de subida de ficheros sin restricción en andesk/managementsuite/core/core.anonymous/ServerSetup.asmx en el servicio web ServerSetup en Lenovo ThinkManagement Console v9.0.3 permite a atacantes remotos ejecutar código de su elección mediante la subida de archivos con extensión ejecutable a través de un comando PutUpdateFileCore en una petición RunAMTCommand SOAP, y accediendo al archivo a través de una peticición directa al archivo en la raíz web. LANDesk Lenovo ThinkManagement Suite version 9.0.3 suffers from a core server remote code execution vulnerability. • https://www.exploit-db.com/exploits/18714 https://www.exploit-db.com/exploits/18622 http://osvdb.org/79276 http://secunia.com/advisories/47666 http://www.securityfocus.com/bid/52023 http://www.securitytracker.com/id?1026693 https://exchange.xforce.ibmcloud.com/vulnerabilities/73207 - • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 9%CPEs: 1EXPL: 2CVE-2012-1196 – LANDesk Lenovo ThinkManagement Console - Remote Command Execution
https://notcve.org/view.php?id=CVE-2012-1196
Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request. Vulnerabilidad de salto de directorio en el servicio web VulCore (WSVulnerabilityCore/VulCore.asmx) en Lenovo ThinkManagement Console v9.0.3, permite a atacantes remotos borrar archivos de su elección a través de .. (punto punto) en el parámetro filemane en una petición SetTaskLogByFile SOAP LANDesk Lenovo ThinkManagement Suite version 9.0.3 suffers from a core server remote arbitrary file deletion vulnerability. • https://www.exploit-db.com/exploits/18714 https://www.exploit-db.com/exploits/18623 http://osvdb.org/79277 http://secunia.com/advisories/47666 http://www.securityfocus.com/bid/52023 http://www.securitytracker.com/id?1026693 https://exchange.xforce.ibmcloud.com/vulnerabilities/73208 - • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •