CVE-2022-38756 – CVE-2022-38756 vulnerability in GW Web prior to 18.4.2
https://notcve.org/view.php?id=CVE-2022-38756
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies. Se ha identificado una vulnerabilidad en Micro Focus GroupWise Web en versiones anteriores a la 18.4.2. El componente web de GW realiza una solicitud al Agente de la oficina postal que contiene información confidencial en los parámetros de consulta que podrían registrar los servidores proxy HTTP que intervienen. Micro Focus GroupWise is a messaging software for email and personal information management. • http://packetstormsecurity.com/files/170768/Micro-Focus-GroupWise-Session-ID-Disclosure.html http://seclists.org/fulldisclosure/2023/Jan/28 https://portal.microfocus.com/s/article/KM000012374?language=en_US • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2018-12468 – Arbitrary File Upload in GroupWise Administration Console
https://notcve.org/view.php?id=CVE-2018-12468
A vulnerability in the administration console of Micro Focus GroupWise prior to version 18.0.2 may allow a remote attacker authenticated as an administrator to upload files to an arbitrary path on the server. In certain circumstances this could result in remote code execution. Una vulnerabilidad en la consola de administración de Micro Focus GroupWise en versiones anteriores a 18.0.2 podría permitir que un atacante remoto autenticado como administrador suba archivos en una ruta arbitraria en el servidor. En determinadas circunstancias, esto podría resultar en la ejecución remota de código. • https://www.novell.com/support/kb/doc.php?id=7023223 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2016-9169
https://notcve.org/view.php?id=CVE-2016-9169
A reflected XSS vulnerability exists in the web console of the Document Viewer Agent in Novell GroupWise before 2014 R2 Support Pack 1 Hot Patch 2 that may enable a remote attacker to execute JavaScript in the context of a valid user's browser session by getting the user to click on a specially crafted link. This could lead to session compromise or other browser-based attacks. Existe una vulnerabilidad de XSS reflejada en la consola web de Document Viewer Agent en Novell GroupWise en versiones anteriores a 2014 R2 Support Pack 1 Hot Patch 2 puede permitir a un atacante remoto ejecutar JavaScript en el contexto de una sesión de explorador de un usuario válido haciendo que haga clic en un enlace manipulado. Esto podría provocar el comprometimiento de sesión u otros ataques basados en navegador. • http://www.securityfocus.com/bid/97318 https://www.novell.com/support/kb/doc.php?id=7018371 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-5761 – Micro Focus GroupWise Cross Site Scripting / Overflows
https://notcve.org/view.php?id=CVE-2016-5761
Cross-site scripting (XSS) vulnerability in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allows remote attackers to inject arbitrary web script or HTML via a crafted email. Vulnerabilidad XSS en Novell GroupWise en versiones anteriores a 2014 R2 Service Pack 1 Hot Patch 1 permite a atacantes remotos inyectar secuencia de comandos web o HTML arbitrarios a través de un email manipulado. Micro Focus GroupWise version 2014 R2 SP1 and below suffer from buffer overflow, cross site scripting, and integer overflow vulnerabilities. • http://packetstormsecurity.com/files/138503/Micro-Focus-GroupWise-Cross-Site-Scripting-Overflows.html http://seclists.org/fulldisclosure/2016/Aug/123 http://www.securityfocus.com/archive/1/539296/100/0/threaded http://www.securityfocus.com/bid/92645 https://www.novell.com/support/kb/doc.php?id=7017974 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160825-0_Micro_Focus_GroupWise_Multiple_vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-5762 – Micro Focus GroupWise Cross Site Scripting / Overflows
https://notcve.org/view.php?id=CVE-2016-5762
Integer overflow in the Post Office Agent in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 might allow remote attackers to execute arbitrary code via a long (1) username or (2) password, which triggers a heap-based buffer overflow. Desbordamiento de entero en la función Post Office Agent en Novell GroupWise en versiones anteriores a 2014 R2 Service Pack 1 Hot Patch 1 podría permitir a atacantes remotos ejecutar código arbitrario a través de (1) un nombre de usuario largo o (2) una contraseña larga, lo que desencadena un desbordamiento de bufer basado en memoria dinámica Micro Focus GroupWise version 2014 R2 SP1 and below suffer from buffer overflow, cross site scripting, and integer overflow vulnerabilities. • http://packetstormsecurity.com/files/138503/Micro-Focus-GroupWise-Cross-Site-Scripting-Overflows.html http://seclists.org/fulldisclosure/2016/Aug/123 http://www.securityfocus.com/archive/1/539296/100/0/threaded http://www.securityfocus.com/bid/92642 https://www.novell.com/support/kb/doc.php?id=7017975 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160825-0_Micro_Focus_GroupWise_Multiple_vulnerabilities_v10.txt • CWE-190: Integer Overflow or Wraparound •