CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43609
https://notcve.org/view.php?id=CVE-2021-43609
08 Nov 2023 — An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data. Se descubrió un problema en Spiceworks Help Desk Server antes de la versión 1.3.... • https://github.com/d5sec/CVE-2021-43609-POC • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 5CVE-2020-25901 – Spiceworks 7.5 - HTTP Header Injection
https://notcve.org/view.php?id=CVE-2020-25901
18 Dec 2020 — Host Header Injection in Spiceworks 7.5.7.0 allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. Una Inyección de Encabezado Host en Spiceworks versión 7.5.7.0, permite al atacante generar enlaces arbitrarios que apuntan hacia un sitio web malicioso con páginas web de encabezado Host envenenadas Spiceworks version 7.5 suffers from an HTTP header injection vulnerability. • https://packetstorm.news/files/id/160631 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23451
https://notcve.org/view.php?id=CVE-2020-23451
15 Sep 2020 — Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function. Spiceworks versiones anteriores a 7.5.00107, está afectada por una vulnerabilidad de tipo CSRF que puede conllevar a una escalada de privilegios por medio de la función "/settings/v1/users" • http://spiceworks.com • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23450
https://notcve.org/view.php?id=CVE-2020-23450
01 Sep 2020 — Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization. Spiceworks versiones anteriores a 7.5.00107 incluyéndola, está afectada por una vulnerabilidad de tipo XSS. Cualquier nombre escrito en la función Custom Groups es vulnerable a los ataques de tipo XSS almacenado, ya que son mostrados en http://127.0.0.1/inventory/groups/ sin saneamiento de la salida • http://spiceworks.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6021
https://notcve.org/view.php?id=CVE-2015-6021
10 Apr 2017 — Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response. Spiceworks Desktop en versiones anteriores a 01-12-2015 tiene un XSS a través de una respuesta SNMP. • https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 3CVE-2017-7237 – SpiceWorks 7.5 TFTP - Remote File Overwrite / Upload
https://notcve.org/view.php?id=CVE-2017-7237
05 Apr 2017 — The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file. El servidor Spiceworks TFTP, tal y como se distribuye con Spiceworks Inventory 7.5, permite a atacantes remotos acceder al directorio de Spiceworks data... • https://packetstorm.news/files/id/141934 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2012-6658 – SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2012-6658
17 Sep 2014 — Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types. Múltiples vulnerabilidades de XSS en SpiceWorks 5.3.75941 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la configuración (1) syslocation, (2) sysc... • https://www.exploit-db.com/exploits/20063 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2012-2956 – SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2012-2956
17 Sep 2014 — SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS. Vulnerabilidad de inyección SQL en SpiceWorks 5.3.75941 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro id hacia api_v2.json. NOTA: esta entrada ha sido dividida por ADT2 debido a diferentes tipos de vu... • https://www.exploit-db.com/exploits/20063 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 7CVE-2014-3740 – SpiceWorks 7.2.00174 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3740
09 Jun 2014 — Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page. Vulnerabilidad de XSS en SpiceWorks anterior a 7.2.00195 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo Summary en una solicitud de ticket en la página del portal. SpiceWorks IT Ticketing System versions prior to 7.2.00195 suffer from mul... • https://packetstorm.news/files/id/126994 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •