10 matches found
CVE-2022-24689
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages including personal data without being authenticated. The collected information includes the badge numbers that operate as user login...
CVE-2022-24689
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages including personal data without being authenticated. The collected information includes the badge numbers that operate as user login...
Sql injection
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A PresAbs.php SQL Injection vulnerability allows unauthenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blind boolean based. An unauthenticated attacker...
Unrestricted file upload
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload and consequently Remote Code Execution via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order...
CVE-2022-24692
The CVE-2022-24692 entry concerns DSK DSKNet 2.16.136.0 and 2.17.136.5. A new menu option on the general Parameters page is vulnerable to stored XSS, allowing an attacker to create a menu option visible to all users and potentially perform session hijacking, account takeover, or deliver malicious...
CVE-2022-24691
CVE-2022-24691 affects DSK DSKNet 2.16.136.0 and 2.17.136.5. The vulnerability is a blind boolean-based SQL Injection that allows authenticated users to taint database data and extract sensitive information via crafted HTTP requests.
CVE-2022-24689
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages including personal data without being authenticated. The collected information includes the badge numbers that operate as user login...
CVE-2022-24689
The CVE-2022-24689 entry concerns DSK DSKNet 2.16.136.0 and 2.17.136.5, where broken access control allows an unauthenticated remote attacker to view account information pages (including personal data) and obtain login badge numbers; PINs are four-digit and susceptible to a 10,000-guess brute for...
CVE-2022-24688
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload and consequently Remote Code Execution via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order...
CVE-2022-24688
CVE-2022-24688 affects DSK DSKNet 2.16.136.0 and 2.17.136.5. The issue allows unrestricted file upload via PDF content that uses a PHP extension, enabling Remote Code Execution. An attacker must obtain privileged access to the Parameters page (via Broken Access Control with brute-force or SQL Inj...