CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23451
https://notcve.org/view.php?id=CVE-2020-23451
15 Sep 2020 — Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function. Spiceworks versiones anteriores a 7.5.00107, está afectada por una vulnerabilidad de tipo CSRF que puede conllevar a una escalada de privilegios por medio de la función "/settings/v1/users" • http://spiceworks.com • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23450
https://notcve.org/view.php?id=CVE-2020-23450
01 Sep 2020 — Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization. Spiceworks versiones anteriores a 7.5.00107 incluyéndola, está afectada por una vulnerabilidad de tipo XSS. Cualquier nombre escrito en la función Custom Groups es vulnerable a los ataques de tipo XSS almacenado, ya que son mostrados en http://127.0.0.1/inventory/groups/ sin saneamiento de la salida • http://spiceworks.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 3CVE-2017-7237 – SpiceWorks 7.5 TFTP - Remote File Overwrite / Upload
https://notcve.org/view.php?id=CVE-2017-7237
05 Apr 2017 — The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file. El servidor Spiceworks TFTP, tal y como se distribuye con Spiceworks Inventory 7.5, permite a atacantes remotos acceder al directorio de Spiceworks data... • https://packetstorm.news/files/id/141934 •