CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2020-14011 – Lansweeper 7.2 - Incorrect Access Control
https://notcve.org/view.php?id=CVE-2020-14011
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features. Lansweeper versiones 6.0.x hasta 7.2.x, presenta una instalación predeterminada en la que la contraseña de administrador está configurada para la cuenta de administrador, a menos que "Built-in admin" sea manualmente desactivado. Esto permite una ejecución de comandos por medio de las funcionalidades Add New Package y Scheduled Deployments Lansweeper version 7.2 has a default admin account enabled which allows for remote code execution. • https://www.exploit-db.com/exploits/48618 http://packetstormsecurity.com/files/158205/Lansweeper-7.2-Default-Account-Remote-Code-Execution.html https://pastebin.com/EUkMx94X https://www.lansweeper.com/knowledgebase/restricting-access-to-the-web-console • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18955
https://notcve.org/view.php?id=CVE-2019-18955
The web console in Lansweeper 7.2.105.2 has XSS via the URL path. Product vulnerability has been fixed and disclosed within changelog as of 02 Dec 2019. La consola web en Lansweeper versión 7.2.105.2, presenta una vulnerabilidad de tipo XSS por medio de la ruta URL. La vulnerabilidad del producto ha sido corregida y revelada en el registro de cambios a partir del 02 de diciembre de 2019. • https://www.lansweeper.com/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •