193 matches found
Cross site scripting
Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger arbitrary code execution via a ZenPack upload, aka ZEN-15388...
Open redirect
Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the camefrom parameter, aka ZEN-11998...
Cross site scripting
Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service memory and CPU consumption via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to...
Cross site scripting
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418...
Cross site scripting
Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain access via a brute-force attack, aka ZEN-15406...
Cross site scripting
Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directory with public 1 read or 2 execute access via a move action, aka ZEN-15386...
Command injection
Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote attackers to execute arbitrary commands or cause a denial of service paging outage by leveraging an unattended workstation, aka ZEN-15412...
Cross site scripting
Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by 1 spoofing the callhome server or 2 deploying a crafted web site that is visited during a login session, aka ZEN-12657...
Cross site scripting
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416...
Design/Logic Flaw
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382...
CVE-2014-9386
Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691...
CVE-2014-6257
Zenoss Core (through 5 Beta 3) contains a systemic authorization bypass (CVE-2014-6257) that lets remote attackers use a web-endpoint URL to invoke an object helper method, bypassing access restrictions. Affects Zenoss Core 4.x/5 Beta 3; no exploit details are provided in the sources. Remediation...
CVE-2014-6257
Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL to invoke an object helper method, aka ZEN-15407...
CVE-2014-9385
CVE-2014-9385: CSRF vulnerability in Zenoss Core up to and including 5 Beta 3 allows remote attackers to hijack user authentication and trigger arbitrary code execution via a ZenPack upload (ZEN-15388).
CVE-2014-9247
CVE-2014-9247 affects Zenoss Core up to 5 Beta 3, where remote authenticated users can enumerate sensitive data (user accounts, e-mail addresses, and roles) via the ZenUsers (User Manager) page. Root cause details are not provided in the initial description, and exploitation status or patch infor...
CVE-2014-9249
The default configuration of Zenoss Core before 5 allows remote attackers to read or modify database information by connecting to unspecified open ports, aka ZEN-15408...
CVE-2014-9385
Cross-site request forgery CSRF vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger arbitrary code execution via a ZenPack upload, aka ZEN-15388...
CVE-2014-6261
Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by 1 spoofing the callhome server or 2 deploying a crafted web site that is visited during a login session, aka ZEN-12657...
CVE-2014-6254
Multiple cross-site scripting XSS vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to inject arbitrary web script or HTML via an attribute in a 1 device name, 2 device detail, 3 report name, 4 report detail, or 5 portlet name, or 6 a string to a helper method, aka ZEN-15381...