CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3776 – Reflected XSS in Pivotal Operations Manager
https://notcve.org/view.php?id=CVE-2019-3776
07 Mar 2019 — Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser. Pivotal Operations Manager, en las versiones 2.1.x anteriores a la 2.1.20, en las 2.2.x anteriores a la 2.2.16, en las 2.3.x anteriores a la ... • http://www.securityfocus.com/bid/107344 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2018-15762 – Pivotal Operations Manager gives all users heightened privileges
https://notcve.org/view.php?id=CVE-2018-15762
02 Nov 2018 — Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman. Pivotal Operations Manager, en versiones 2.0.x anteriores a la 2.0.24, versiones 2.1.x anteriores a la 2.1.15, versiones 2.2.x anteriores a la 2.2.7 y versiones 2.3.x anteri... • https://pivotal.io/security/cve-2018-15762 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11081 – Pivotal Operations Manager UAA config - temp Ram Disk
https://notcve.org/view.php?id=CVE-2018-11081
05 Oct 2018 — Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk.. Pivotal Operations Manager, en versiones 2.2.x anteriores a la 2.2.1, 2.1.x anteriores a la 2.1.11, 2.0.x... • https://pivotal.io/security/cve-2018-11081 •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2018-11045
https://notcve.org/view.php?id=CVE-2018-11045
11 Jul 2018 — Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG. Pivotal Operations Manager, en versiones 2.1 anteriores a la 2.1.6 y 2.0 anteriores a la 2.0.15 y 1.1... • https://pivotal.io/security/cve-2018-11045 • CWE-330: Use of Insufficiently Random Values •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11046
https://notcve.org/view.php?id=CVE-2018-11046
25 Jun 2018 — Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager Pivotal Operations Manager, en versiones 2.1.x anteriores a la 2.1.6 y en la versión 2.0.14, incluye paquetes NGINX que carecen de parches de vulnerabilidades de seguridad. Un atacante que tenga acceso a los procesos ... • http://www.securityfocus.com/bid/104545 • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2016-4380 – HP Security Bulletin HPSBGN03637 1
https://notcve.org/view.php?id=CVE-2016-4380
31 Aug 2016 — Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el AdminUI en HPE Operations Manager 9.21.x en versiones anteriores a 9.21.130 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. A potential vulnerability has been identified in the AdminUI of the HP ... • http://www.securityfocus.com/bid/92698 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 6EXPL: 0CVE-2016-4373 – HP Security Bulletin HPSBGN03630 1
https://notcve.org/view.php?id=CVE-2016-4373
26 Jul 2016 — The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. El AdminUI en HPE Operations Manager (OM) en versiones anteriores a 9.21.130 en Linux, Unix y Solaris permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado, relacionado con la librería Apache Commons Collections (ACC). A v... • http://www.securityfocus.com/bid/92122 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 86%CPEs: 4EXPL: 6CVE-2014-5073 – VMTurbo Operations Manager 4.6 - 'vmtadmin.cgi' Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-5073
14 Aug 2014 — vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call. vmtadmin.cgi en VMTurbo Operations Manager anterior a 4.6 build 28657 permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en el parámetro fileDate en una llamada DOWN. • https://packetstorm.news/files/id/127864 •
CVSS: 7.5EPSS: 12%CPEs: 2EXPL: 3CVE-2014-3806 – VM Turbo Operations Manager 4.5x - Directory Traversal
https://notcve.org/view.php?id=CVE-2014-3806
21 May 2014 — Directory traversal vulnerability in cgi-bin/help/doIt.cgi in VMTurbo Operations Manager before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the xml_path parameter. Vulnerabilidad de salto de directorio en cgi-bin/help/doIt.cgi en VMTurbo Operations Manager anterior a 4.6 permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en el parámetro xml_path. • https://www.exploit-db.com/exploits/33334 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •