5 results (0.004 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in /fcgi/scrut_fcgi.fcgi in Plixer Scrutinizer before 19.3.1. The csvExportReport endpoint action generateCSV does not require authentication and allows an unauthenticated user to export a report and access the results. Se descubrió un problema en /fcgi/scrut_fcgi.fcgi en Plixer Scrutinizer antes de 19.3.1. La acción de endpoint csvExportReport generateCSV no requiere autenticación y permite a un usuario no autenticado exportar un informe y acceder a los resultados. • https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md • CWE-287: Improper Authentication •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in /fcgi/scrut_fcgi.fcgi in Plixer Scrutinizer before 19.3.1. The csvExportReport endpoint action generateCSV is vulnerable to SQL injection through the sorting parameter, allowing an unauthenticated user to execute arbitrary SQL statements in the context of the application's backend database server. Se descubrió un problema en /fcgi/scrut_fcgi.fcgi en Plixer Scrutinizer antes de 19.3.1. La acción de endpoint csvExportReport generateCSV es vulnerable a la inyección de SQL a través del parámetro de clasificación, lo que permite a un usuario no autenticado ejecutar declaraciones SQL arbitrarias en el contexto del servidor de base de datos backend de la aplicación. • https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in Plixer Scrutinizer before 19.3.1. It exposes debug logs to unauthenticated users at the /debug/ URL path. With knowledge of valid IP addresses and source types, an unauthenticated attacker can download debug logs containing application-related information. Se descubrió un problema en Plixer Scrutinizer antes de la versión 19.3.1. Expone registros de depuración a usuarios no autenticados en la ruta URL /debug/. • https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to change user passwords via the user ID in the savePrefs parameter in a change password request to cgi-bin/admin.cgi. SonicWall Scrutinizer versión 11.0.1 de Dell, permite a los usuarios autenticados remotos cambiar contraseñas de usuario por medio del ID de usuario en el parámetro savePrefs en una petición de cambio de contraseña en el archivo cgi-bin/admin.cgi. • http://packetstormsecurity.com/files/127429/Dell-Sonicwall-Scrutinizer-11.01-Code-Execution-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Jul/44 http://www.securityfocus.com/bid/68495 https://exchange.xforce.ibmcloud.com/vulnerabilities/94438 https://gist.github.com/brandonprry/36b4b8df1cde279a9305 https://gist.github.com/brandonprry/76741d9a0d4f518fe297 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.5EPSS: 96%CPEs: 1EXPL: 2

Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php. Múltiples vulnerabilidades de inyección SQL en Dell SonicWall Scrutinizer 11.0.1 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (1) parámetro selectedUserGroup en una solicitud de crear un usuario nuevo en cgi-bin/admin.cgi o el (2) parámetro user_id en la función changeUnit, (3) parámetro methodDetail en la función methodDetail o (4) parámetro xcNetworkDetail en la función xcNetworkDetail en d4d/exporters.php. • https://www.exploit-db.com/exploits/39836 http://packetstormsecurity.com/files/127429/Dell-Sonicwall-Scrutinizer-11.01-Code-Execution-SQL-Injection.html http://packetstormsecurity.com/files/137098/Dell-SonicWALL-Scrutinizer-11.01-methodDetail-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Jul/44 http://www.securityfocus.com/bid/68495 https://exchange.xforce.ibmcloud.com/vulnerabilities/94439 https://gist.github.com/brandonprry/36b4b8df1cde279a9305 https://gist.github.com/brandonprry/76741d9a0d4f518fe297 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •