CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23451
https://notcve.org/view.php?id=CVE-2020-23451
Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function. Spiceworks versiones anteriores a 7.5.00107, está afectada por una vulnerabilidad de tipo CSRF que puede conllevar a una escalada de privilegios por medio de la función "/settings/v1/users" • http://spiceworks.com https://abuyv.com/cve/spiceworks-csrf-via-xss • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23450
https://notcve.org/view.php?id=CVE-2020-23450
Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization. Spiceworks versiones anteriores a 7.5.00107 incluyéndola, está afectada por una vulnerabilidad de tipo XSS. Cualquier nombre escrito en la función Custom Groups es vulnerable a los ataques de tipo XSS almacenado, ya que son mostrados en http://127.0.0.1/inventory/groups/ sin saneamiento de la salida • http://spiceworks.com https://abuyv.com https://abuyv.com/cve/spiceworks-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 6CVE-2014-3740 – SpiceWorks 7.2.00174 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3740
Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page. Vulnerabilidad de XSS en SpiceWorks anterior a 7.2.00195 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo Summary en una solicitud de ticket en la página del portal. SpiceWorks IT Ticketing System versions prior to 7.2.00195 suffer from multiple persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/33330 http://osvdb.org/show/osvdb/106916 http://packetstormsecurity.com/files/126596/SpiceWorks-7.2.00174-Cross-Site-Scripting.html http://packetstormsecurity.com/files/126994/SpiceWorks-IT-Ticketing-System-Cross-Site-Scripting.html http://research.openflare.org/advisories/OF-2014-07/spiceworks_xss.txt http://research.openflare.org/poc/OF-2014-07/spiceworks_crafted_ticket.mp4 http://seclists.org/fulldisclosure/2014/Jun/42 http://secunia.com/advisories/58522 htt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •