Cross site scripting

Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service memory and CPU consumption via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to...

CVE-2014-6259

Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service memory and CPU consumption via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to...

CVE-2014-6261

Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by 1 spoofing the callhome server or 2 deploying a crafted web site that is visited during a login session, aka ZEN-12657...

CVE-2014-9245

Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382...

CVE-2014-6258

An unspecified endpoint in Zenoss Core through 5 Beta 3 allows remote attackers to cause a denial of service CPU consumption by triggering an arbitrary regular-expression match attempt, aka ZEN-15411...

CVE-2014-9245

CVE-2014-9245 affects Zenoss Core up to version 5 Beta 3. The vulnerability allows remote attackers to obtain sensitive information by performing a product-rename action with an invalid new name and then reading a stack trace that exposes internal URLs and other sensitive information. The availab...

CVE-2014-6257

Zenoss Core (through 5 Beta 3) contains a systemic authorization bypass (CVE-2014-6257) that lets remote attackers use a web-endpoint URL to invoke an object helper method, bypassing access restrictions. Affects Zenoss Core 4.x/5 Beta 3; no exploit details are provided in the sources. Remediation...