CVE-2021-28829 – TIBCO Administrator CSV injection vulnerability
https://notcve.org/view.php?id=CVE-2021-28829
The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition for z/Linux, and TIBCO Administrator - Enterprise Edition for z/Linux contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a persistent CSV injection attack from the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.10.2 and below, and TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.11.0 and 5.11.1. • http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2021/04/tibco-security-advisory-april-20-2021-tibco-administrator-2021-28829 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2021-28828 – TIBCO Administrator SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2021-28828
The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition for z/Linux, and TIBCO Administrator - Enterprise Edition for z/Linux contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a SQL injection attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.10.2 and below, and TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.11.0 and 5.11.1. El componente GUI de Administración de TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution para TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution para TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition para z/Linux y TIBCO Administrator - Enterprise Edition para z/Linux de TIBCO Software Inc, contiene una vulnerabilidad fácilmente explotable que permite a un atacante poco privilegiado con acceso a la red ejecutar un ataque de inyección SQL en el sistema afectado. • http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2021/04/tibco-security-advisory-april-20-2021-tibco-administrator-2021-28828 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-28827 – TIBCO Administrator Stored Cross Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-28827
The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition for z/Linux, TIBCO Administrator - Enterprise Edition for z/Linux, TIBCO Runtime Agent, TIBCO Runtime Agent, TIBCO Runtime Agent for z/Linux, and TIBCO Runtime Agent for z/Linux contains an easily exploitable vulnerability that allows an unauthenticated attacker to social engineer a legitimate user with network access to execute a Stored XSS attack targeting the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.11.0 and 5.11.1, TIBCO Runtime Agent: versions 5.10.2 and below, TIBCO Runtime Agent: versions 5.11.0 and 5.11.1, TIBCO Runtime Agent for z/Linux: versions 5.10.2 and below, and TIBCO Runtime Agent for z/Linux: versions 5.11.0 and 5.11.1. • http://www.tibco.com/services/support/advisories https://www.tibco.com/support/advisories/2021/04/tibco-security-advisory-april-20-2021-tibco-administrator-2021-28827 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-1403 – BootManage TFTP Server 1.99 - 'Filename' Remote Buffer Overflow
https://notcve.org/view.php?id=CVE-2008-1403
Stack-based buffer overflow in the TFTP server in BootManage TFTPD 1.99 and earlier in BootManage Administrator 7.1 and earlier allows remote attackers to execute arbitrary code via a request with a long filename. Desbordamiento de búfer basado en pila en el servidor TFTP de BootManage TFTPD versión 1.99 y anteriores permite a atacantes remotos ejecutar código de su elección utilizando una petición con un nombre de fichero demasiado largo. • https://www.exploit-db.com/exploits/31409 http://aluigi.altervista.org/adv/bootixtftpd-adv.txt http://secunia.com/advisories/29404 http://www.securityfocus.com/archive/1/489705/100/0/threaded http://www.securityfocus.com/bid/28270 https://exchange.xforce.ibmcloud.com/vulnerabilities/41226 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •