CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2020-14011 – Lansweeper 7.2 - Incorrect Access Control
https://notcve.org/view.php?id=CVE-2020-14011
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features. Lansweeper versiones 6.0.x hasta 7.2.x, presenta una instalación predeterminada en la que la contraseña de administrador está configurada para la cuenta de administrador, a menos que "Built-in admin" sea manualmente desactivado. Esto permite una ejecución de comandos por medio de las funcionalidades Add New Package y Scheduled Deployments Lansweeper version 7.2 has a default admin account enabled which allows for remote code execution. • https://www.exploit-db.com/exploits/48618 http://packetstormsecurity.com/files/158205/Lansweeper-7.2-Default-Account-Remote-Code-Execution.html https://pastebin.com/EUkMx94X https://www.lansweeper.com/knowledgebase/restricting-access-to-the-web-console • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18955
https://notcve.org/view.php?id=CVE-2019-18955
The web console in Lansweeper 7.2.105.2 has XSS via the URL path. Product vulnerability has been fixed and disclosed within changelog as of 02 Dec 2019. La consola web en Lansweeper versión 7.2.105.2, presenta una vulnerabilidad de tipo XSS por medio de la ruta URL. La vulnerabilidad del producto ha sido corregida y revelada en el registro de cambios a partir del 02 de diciembre de 2019. • https://www.lansweeper.com/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 31%CPEs: 1EXPL: 1CVE-2019-13462
https://notcve.org/view.php?id=CVE-2019-13462
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection. Lansweeper anterior a la versión 7.1.117.4 permite la inyección SQL no autenticada. • https://www.lansweeper.com/forum/yaf_topics33_Announcements.aspx https://www.nccgroup.trust/uk/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-9264
https://notcve.org/view.php?id=CVE-2015-9264
Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute arbitrary code on the administrator's workstation via a crafted Windows service. Lansweeper en versiones 4.x hasta las 6.x anteriores a la 6.0.0.48 permite que los atacantes ejecuten código arbitrario en la estación de trabajo del administrador mediante un servicio de Windows manipulado. • https://www.lansweeper.com/updates/lansweeper-6-0-0-48-security-update • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-16841 – LanSweeper 6.0.100.75 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16841
LanSweeper 6.0.100.75 has XSS via the description parameter to /Calendar/CalendarActions.aspx. La versión 6.0.100.75 de LanSweeper tiene XSS mediante el parámetro description en /Calendar/CalendarActions.aspx. • https://www.exploit-db.com/exploits/43149 https://www.linkedin.com/pulse/lansweeper-bug-miguel-angel-mendez-oscp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •