Lucene search
+L

193 matches found

Prion
Prion
added 2014/12/15 6:59 p.m.21 views

Cross site scripting

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691...

6.8CVSS6.9AI score0.02048EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.18 views

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger arbitrary code execution via a ZenPack upload, aka ZEN-15388...

6.8CVSS8.2AI score0.01218EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.17 views

Open redirect

Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the camefrom parameter, aka ZEN-11998...

6.4CVSS7.1AI score0.02069EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.27 views

Cross site scripting

Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service memory and CPU consumption via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to...

5CVSS6.5AI score0.01619EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.20 views

Cross site scripting

Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418...

5CVSS6.9AI score0.01501EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.15 views

Cross site scripting

Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain access via a brute-force attack, aka ZEN-15406...

5CVSS7AI score0.0124EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.16 views

Cross site scripting

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directory with public 1 read or 2 execute access via a move action, aka ZEN-15386...

7.5CVSS7.4AI score0.01511EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.19 views

Command injection

Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote attackers to execute arbitrary commands or cause a denial of service paging outage by leveraging an unattended workstation, aka ZEN-15412...

6.8CVSS8.6AI score0.01774EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.14 views

Cross site scripting

Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by 1 spoofing the callhome server or 2 deploying a crafted web site that is visited during a login session, aka ZEN-12657...

9.3CVSS8.1AI score0.19683EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.19 views

Cross site scripting

Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416...

2.1CVSS6.3AI score0.00362EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2014/12/15 6:59 p.m.18 views

Design/Logic Flaw

Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382...

5CVSS6.7AI score0.01407EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2014/12/15 5:27 p.m.30 views

CVE-2014-9386

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691...

6.6AI score0.02048EPSS
Exploits0References2
CVE
CVE
added 2014/12/15 5:27 p.m.52 views

CVE-2014-6257

Zenoss Core (through 5 Beta 3) contains a systemic authorization bypass (CVE-2014-6257) that lets remote attackers use a web-endpoint URL to invoke an object helper method, bypassing access restrictions. Affects Zenoss Core 4.x/5 Beta 3; no exploit details are provided in the sources. Remediation...

5CVSS7.5AI score0.01413EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2014/12/15 5:27 p.m.20 views

CVE-2014-6257

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL to invoke an object helper method, aka ZEN-15407...

7.6AI score0.01413EPSS
Exploits0References2
CVE
CVE
added 2014/12/15 5:27 p.m.54 views

CVE-2014-9385

CVE-2014-9385: CSRF vulnerability in Zenoss Core up to and including 5 Beta 3 allows remote attackers to hijack user authentication and trigger arbitrary code execution via a ZenPack upload (ZEN-15388).

6.8CVSS8.1AI score0.01218EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2014/12/15 5:27 p.m.52 views

CVE-2014-9247

CVE-2014-9247 affects Zenoss Core up to 5 Beta 3, where remote authenticated users can enumerate sensitive data (user accounts, e-mail addresses, and roles) via the ZenUsers (User Manager) page. Root cause details are not provided in the initial description, and exploitation status or patch infor...

4CVSS7AI score0.01124EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2014/12/15 5:27 p.m.31 views

CVE-2014-9249

The default configuration of Zenoss Core before 5 allows remote attackers to read or modify database information by connecting to unspecified open ports, aka ZEN-15408...

7.4AI score0.01569EPSS
Exploits0References2
Cvelist
Cvelist
added 2014/12/15 5:27 p.m.29 views

CVE-2014-9385

Cross-site request forgery CSRF vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger arbitrary code execution via a ZenPack upload, aka ZEN-15388...

7.8AI score0.01218EPSS
Exploits0References2
Cvelist
Cvelist
added 2014/12/15 5:27 p.m.21 views

CVE-2014-6261

Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by 1 spoofing the callhome server or 2 deploying a crafted web site that is visited during a login session, aka ZEN-12657...

7.8AI score0.19683EPSS
Exploits0References2
Cvelist
Cvelist
added 2014/12/15 5:27 p.m.21 views

CVE-2014-6254

Multiple cross-site scripting XSS vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to inject arbitrary web script or HTML via an attribute in a 1 device name, 2 device detail, 3 report name, 4 report detail, or 5 portlet name, or 6 a string to a helper method, aka ZEN-15381...

6.8AI score0.01181EPSS
Exploits0References2
Rows per page
Query Builder