CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28200 – N-central Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-28200
01 Jul 2024 — The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild. El servidor N-central es vulnerable a una omisión de autenticación de la interfaz de usuario. Esta vulnerabilidad está presente en todas las implementaciones de N-central anteriores a 2024.2. • https://documentation.n-able.com/N-central/Release_Notes/GA/Content/2024.2%20Release%20Notes.htm • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5322 – N-central Authentication Bypass via Session Rebinding
https://notcve.org/view.php?id=CVE-2024-5322
01 Jul 2024 — The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3. El servidor N-central es vulnerable a la nueva vinculación de sesiones de usuarios ya autenticados cuando se utiliza Entra SSO, lo que puede provocar una omisión de autenticación. Esta vulnerabilidad está presente en todas las implementaciones de N-central compatible... • https://documentation.n-able.com/N-central/Release_Notes/GA/Content/2024.3%20Release%20Notes.htm • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37244 – Privilege escalation in N-Able's AutomationManagerAgent
https://notcve.org/view.php?id=CVE-2023-37244
02 May 2024 — The affected AutomationManager.AgentService.exe application contains a TOCTOU race condition vulnerability that allows standard users to create a pseudo-symlink at C:\ProgramData\N-Able Technologies\AutomationManager\Temp, which could be leveraged by an attacker to manipulate the process into performing arbitrary file deletions. We recommend upgrading to version 2.91.0.0 La aplicación AutomationManager.AgentService.exe afectada contiene una vulnerabilidad de condición de ejecución TOCTOU que permite a los u... • https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0016.md • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-47131
https://notcve.org/view.php?id=CVE-2023-47131
08 Feb 2024 — The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file. La extensión N-able PassPortal anterior a 3.29.2 para Chrome inserta información confidencial en un archivo de registro. • https://me.n-able.com/s/security-advisory/aArHs000000M8CCKA0/cve202347131-passportal-browser-extension-logs-sensitive-data • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47132
https://notcve.org/view.php?id=CVE-2023-47132
08 Feb 2024 — An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. Un problema descubierto en N-able N-central antes de 2023.6 y anteriores permite a los atacantes obtener privilegios elevados a través de llamadas API. • https://me.n-able.com/s/security-advisory/aArHs000000M8CHKA0/cve202347132-ncentral-api-privilege-escalation • CWE-269: Improper Privilege Management •
CVSS: 7.0EPSS: 1%CPEs: 2EXPL: 2CVE-2023-27470
https://notcve.org/view.php?id=CVE-2023-27470
11 Sep 2023 — BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion. BASupSrvcUpdater.exe en N-able Take Control Agent hasta 7.0.41.1141 anterior a 7.0.43 tiene una Condición de Ejecución TOCTOU a través de un pseudoenlace simbólico en %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, lo que lleva a la eliminación arbitraria de archivos. • https://github.com/3lp4tr0n/CVE-2023-27470_Exercise • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30297
https://notcve.org/view.php?id=CVE-2023-30297
03 Aug 2023 — An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server. Un problema encontrado en N-central Server de N-able Technologies para versiones anteriores a 2023.4 permite a un atacante local ejecutar código arbitrario a través de la función de monitorización del servidor. • https://status.n-able.com/2023/07/27/cve-2023-30297-release-note •