CVE-2021-42854 – Directory Traversal Read/Write/Delete at PluginServlet
https://notcve.org/view.php?id=CVE-2021-42854
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el PluginServlet del agente de muestreo dinámico (DSA) de SteelCentral AppInternals presenta vulnerabilidades de salto de directorio en la API "/api/appInternals/1.0/plugin/pmx". El endpoint afectado no presenta ninguna comprobación de la entrada del usuario que permite inyectar una carga útil maliciosa • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Read-Write-Delete-at-PluginServlet-CVE-2021-42854 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-42856 – Reflected Cross-site Scripting at DsaDataTest
https://notcve.org/view.php?id=CVE-2021-42856
It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability. Se ha detectado que el endpoint /DsaDataTest es susceptible de sufrir un ataque de tipo cross-site scripting (XSS). Se ha detectado que el parámetro Metric no presenta ninguna comprobación de entrada en la entrada del usuario que permite a un atacante elaborar su propia carga útil maliciosa para desencadenar una vulnerabilidad de tipo XSS • https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42787 – Directory Traversal Write/Delete/Partial Read at AgentConfigurationServlet
https://notcve.org/view.php?id=CVE-2021-42787
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentConfigurationServlet de SteelCentral AppInternals presenta vulnerabilidades salto de directorio en la API "/api/appInternals/1.0/agent/configuration". El endpoint afectado no presenta ninguna comprobación de la entrada del usuario que permite inyectar una carga útil maliciosa • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-42857 – Directory Traversal Partial Write at AgentDaServlet
https://notcve.org/view.php?id=CVE-2021-42857
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API. The affected endpoint does not have any validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentDaServlet de SteelCentral AppInternals presenta vulnerabilidades de salto de directorio en la API "/api/appInternals/1.0/agent/da/pcf". El endpoint afectado no comprueba la entrada del usuario, lo que permite inyectar una carga maliciosa • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Partial-Write-at-AgentDaServlet-CVE-2021-42857 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-42855 – Local privilege escalation due to misconfigured write permission on .debug_command.config file
https://notcve.org/view.php?id=CVE-2021-42855
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by the "/api/appInternals/1.0/agent/configuration" API to map the corresponding ID to a command to be executed. Se ha detectado que el agente de muestreo dinámico (DSA) de SteelCentral AppInternals usa el archivo ".debug_command.config" para almacenar una cadena json que contiene una lista de ID y comandos preconfigurados. El archivo de configuración es usado posteriormente por la API "/api/appInternals/1.0/agent/configuration" para asignar el ID correspondiente a un comando a ejecutar • https://aternity.force.com/customersuccess/s/article/Local-privilege-escalation-due-to-misconfigured-write-permission-on-debug-command-config-file-CVE-2021-42855 • CWE-284: Improper Access Control CWE-732: Incorrect Permission Assignment for Critical Resource •