EUVD-2021-13278

Malware in sbrugna...

CVE-2021-26473

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebserviceo.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server...

CVE-2021-26473

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebserviceo.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server...

CVE-2021-26472

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges...

CVE-2021-26471

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebserviceo.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands...

Command injection

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebserviceo.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands...

Design/Logic Flaw

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges...

Design/Logic Flaw

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebserviceo.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server...

CVE-2021-26473

An unauthenticated arbitrary file write and remote code execution vulnerability in VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1. The HTTP API at /sgwebservice_o.php?action=logFilePath allows writing arbitrary files in the web server process context, which can later be executed by req...

CVE-2021-26473 Unauthenticated arbitrary file upload and command execution in Vembu products

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebserviceo.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server...

CVE-2021-26472 Unauthenticated remote command execution with SYSTEM privileges in Vembu products

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges...

CVE-2021-26472

CVE-2021-26472 affects VembuBDR (pre-4.2.0.1) and VembuOffsiteDR (pre-4.2.0.1) on Windows. The http API at /consumerweb/secure/download.php allows an unauthenticated attacker to inject commands and execute arbitrary OS commands with SYSTEM privileges. No remediation details are provided in the co...

CVE-2021-26471 Unauthenticated remote command execution in Vembu products

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebserviceo.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands...

CVE-2021-26471

CVE-2021-26471 affects VembuBDR (before 4.2.0.1) and VembuOffsiteDR (before 4.2.0.1). The http API at /sgwebservice_o.php accepts a command argument, enabling an unauthenticated attacker to execute arbitrary shell commands via command injection in the API. This is a network-accessible vulnerabili...