8 results (0.009 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in /fcgi/scrut_fcgi.fcgi in Plixer Scrutinizer before 19.3.1. The csvExportReport endpoint action generateCSV does not require authentication and allows an unauthenticated user to export a report and access the results. Se descubrió un problema en /fcgi/scrut_fcgi.fcgi en Plixer Scrutinizer antes de 19.3.1. La acción de endpoint csvExportReport generateCSV no requiere autenticación y permite a un usuario no autenticado exportar un informe y acceder a los resultados. • https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md • CWE-287: Improper Authentication •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in /fcgi/scrut_fcgi.fcgi in Plixer Scrutinizer before 19.3.1. The csvExportReport endpoint action generateCSV is vulnerable to SQL injection through the sorting parameter, allowing an unauthenticated user to execute arbitrary SQL statements in the context of the application's backend database server. Se descubrió un problema en /fcgi/scrut_fcgi.fcgi en Plixer Scrutinizer antes de 19.3.1. La acción de endpoint csvExportReport generateCSV es vulnerable a la inyección de SQL a través del parámetro de clasificación, lo que permite a un usuario no autenticado ejecutar declaraciones SQL arbitrarias en el contexto del servidor de base de datos backend de la aplicación. • https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in Plixer Scrutinizer before 19.3.1. It exposes debug logs to unauthenticated users at the /debug/ URL path. With knowledge of valid IP addresses and source types, an unauthenticated attacker can download debug logs containing application-related information. Se descubrió un problema en Plixer Scrutinizer antes de la versión 19.3.1. Expone registros de depuración a usuarios no autenticados en la ruta URL /debug/. • https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1

d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote attackers to create or overwrite arbitrary files in %PROGRAMFILES%\Scrutinizer\snmp\mibs\ via a multipart/form-data POST request. d4d/uploader.php en la consola web Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) anterior a v9.5.0 permite a atacantes remotos crear o sobreescribir archivos arbitrarios en %PROGRAMFILES%\Scrutinizer\snmp\mibs\ a través de una solicitud POST multipart/form-data Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/37548 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt •

CVSS: 7.5EPSS: 87%CPEs: 1EXPL: 2

The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session. El componente MySQL en Plixer Scrutinizer (también conocido como Dell SonicWALL Scrutinizer) v9.0.1.19899 y anteiores tiene una contraseña por defecto para el admin en (1) scrutinizer y (2) cuentas scrutremote, lo que permite a atacantes remotos ejecutar comandos SQL a través de una sesión TCP. Scrutinizer NetFlow and sFlow Analyzer versions 9.0.1 and below suffer from bypass, cross site scripting, and remote file upload vulnerabilities. It also has undocumented MySQL admin users. • https://www.exploit-db.com/exploits/20355 http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.html https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •