CVSS: 7.5EPSS: 96%CPEs: 1EXPL: 0CVE-2015-1605 – Dell ScriptLogic Asset Manager GetProcessedPackage SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2015-1605
Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manager (aka Quest Workspace Asset Manager) before 9.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) GetClientPackage.aspx or (2) GetProcessedPackage.aspx. Múltiples vulnerabilidades de inyección SQL en Dell ScriptLogic Asset Manager (también conocido como Quest Workspace Asset Manager) anterior a 9.5 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados en (1) GetClientPackage.aspx o (2) GetProcessedPackage.aspx. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell ScriptLogic Asset Manager, also known as Quest Workspace Asset Manager. Authentication is not required to exploit this vulnerability. To exploit this security flaw, an attacker would make a specially crafted web request to a handler named GetProcessedPackage.aspx that is installed as part of this product. An attacker can leverage this vulnerability to execute code under the context of NETWORK SERVICE. • http://www.securityfocus.com/bid/72697 http://www.zerodayinitiative.com/advisories/ZDI-15-048 http://www.zerodayinitiative.com/advisories/ZDI-15-049 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 4CVE-2014-2588 – McAfee Asset Manager 6.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-2588
Directory traversal vulnerability in servlet/downloadReport in McAfee Asset Manager 6.6 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the reportFileName parameter. Vulnerabilidad de salto de directorio en servlet/downloadReport en McAfee Asset Manager 6.6 permite a usuarios remotos autenticados leer archivos arbitrarios a través de un .. (punto punto) en el parámetro reportFileName. • https://www.exploit-db.com/exploits/32368 http://packetstormsecurity.com/files/125775/McAfee-Cloud-SSO-Asset-Manager-Issues.html http://seclists.org/fulldisclosure/2014/Mar/325 http://www.exploit-db.com/exploits/32368 http://www.osvdb.org/104633 http://www.securityfocus.com/bid/66302 http://www.securitytracker.com/id/1029927 https://exchange.xforce.ibmcloud.com/vulnerabilities/91930 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 4CVE-2014-2587 – McAfee Asset Manager 6.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-2587
SQL injection vulnerability in jsp/reports/ReportsAudit.jsp in McAfee Asset Manager 6.6 allows remote authenticated users to execute arbitrary SQL commands via the username of an audit report (aka user parameter). Vulnerabilidad de inyección SQL en jsp/reports/ReportsAudit.jsp en McAfee Asset Manager 6.6 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del nombre de usuario de un informe de auditaría (también conocido como parámetro user). • https://www.exploit-db.com/exploits/32368 http://packetstormsecurity.com/files/125775/McAfee-Cloud-SSO-Asset-Manager-Issues.html http://seclists.org/fulldisclosure/2014/Mar/325 http://www.exploit-db.com/exploits/32368 http://www.osvdb.org/104634 http://www.securityfocus.com/bid/66302 http://www.securitytracker.com/id/1029927 https://exchange.xforce.ibmcloud.com/vulnerabilities/91929 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •