CVE-2020-26574
https://notcve.org/view.php?id=CVE-2020-26574
Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a malicious Perl script that will be executed as root via libMisc::browser_client. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Leostream Connection Broker versión 8.2.x está afectado por una vulnerabilidad de tipo XSS almacenado. • https://adepts.of0x.cc/leostream-xss-to-rce https://www.leostream.com/resources/product-lifecycle • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18817
https://notcve.org/view.php?id=CVE-2018-18817
The Leostream Agent before Build 7.0.1.0 when used with Leostream Connection Broker 8.2.72 or earlier allows remote attackers to modify registry keys via the Leostream Agent API. Leostream Agent en versiones anteriores a la Build 7.0.1.0 al emplearse con Leostream Connection Broker 8.2.72 o anteriores permite que atacantes remotos modifiquen las claves de registro mediante la API Leostream Agent. • https://leostream.kayako.com/Knowledgebase/Article/View/85/52/leostream-agent-security-update •