CVE-2024-12700 – Tibbo AggreGate Network Manager Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2024-12700
19 Dec 2024 — There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tibbo Aggregate Network Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within the UploaderTempFileController class. The issue results from the lack of proper vali... • https://aggregate.digital/downloads.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2015-7912 – Tibbo AggreGate SCADA/HMI Server Service uploadDirectory Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2015-7912
20 Nov 2015 — The Ice Faces servlet in ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows remote attackers to upload and execute arbitrary Java code via a crafted XML document. El servlet Ice Faces en ag_server_service.exe en el AggreGate Server Service en Tibbo AggreGate en versiones anteriores a 5.30.06 permite a atacantes remotos cargar y ejecutar código Java arbitrario a través de un documento XML manipulado. This vulnerability allows remote attackers to execute arbitrary c... • http://zerodayinitiative.com/advisories/ZDI-15-571 •
CVE-2015-7913 – Tibbo AggreGate SCADA/HMI Apache Axis AdminService Arbitrary Class Instantiation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2015-7913
20 Nov 2015 — ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows local users to execute arbitrary Java code with SYSTEM privileges by using the Apache Axis AdminService deployment method to publish a class. ag_server_service.exe en el AggreGate Server Service en Tibbo AggreGate en versiones anteriores a 5.30.06 permite a usuarios locales ejecutar código Java arbitrario con privilegios SYSTEM mediante el uso del método de despliegue Apache Axis AdminService para publicar una cla... • http://zerodayinitiative.com/advisories/ZDI-15-572 •