HTML injection in Users in Guardian/CMC before 26.1.0

Summary A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. Impact An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a...

HTML injection in Schedule Restore Archive in Guardian/CMC before 26.1.0

Summary A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. Impact An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim view...

HTML injection in Smart Polling in Guardian/CMC before 26.1.0

Summary A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. Impact An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views th...

HTML injection in Credentials Manager in Guardian/CMC before 26.1.0

Summary A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. Impact An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delet...

Angular template injection in Reports in Guardian/CMC before 26.1.0

Summary An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. Impact An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially...

Stored Cross-Site Scripting (XSS) in Assets and Nodes in Guardian/CMC before 26.0.0

Summary A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. Impact An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victi...

Incorrect authorization for Threat Intelligence in Guardian/CMC before 26.0.0

Summary An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. Impact An authenticated user with view-only privileges for the Threat Intelligence functionality ca...

HTML injection in Alerted Nodes Dashboard in Guardian/CMC before 25.6.0

Summary A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. Impact A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured t...

HTML injection in Sensor Map in CMC before 25.6.0

Summary A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. Impact A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian's properties...

Lack of TLS certificate validation when connecting Arc to a Guardian or CMC, in Arc before v2.2.0

Summary The server certificate was not verified when an Arc agent connected to a Guardian or CMC. Impact A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and...

Stored Cross-Site Scripting (XSS) in Reports in Guardian/CMC before 25.5.0

Summary A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. Impact An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineer...

HTML injection in Asset List in Guardian/CMC before 25.5.0

Summary A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. Impact An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affecte...

Path traversal in Import Arc data archive functionality in Guardian/CMC before 25.5.0

Summary A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. Impact An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files in...

HTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0

Summary A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. Impact An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset...

Stored Cross-Site Scripting (XSS) in Dashboards in Guardian/CMC before 25.4.0

Summary A Stored Cross-Site Scripting vulnerability was discovered in the Dashboards functionality due to improper validation of an input parameter. Impact An authenticated low-privilege user can craft a malicious dashboard containing a JavaScript payload and share it with victim users, or a vict...

Authenticated SQL Injection on Alert functionality in Guardian/CMC before 25.2.0

Summary A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. Impact An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing...

Authenticated SQL Injection on Smart Polling functionality in Guardian/CMC before 25.2.0

Summary A SQL Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. Impact An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing...

Authenticated SQL Injection on CLI functionality in Guardian/CMC before 25.3.0

Summary A SQL Injection vulnerability was discovered in the CLI functionality due to improper validation of an input parameter. Impact An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthoriz...

Path traversal in Time Machine functionality in Guardian/CMC before 25.2.0

Summary A path traversal vulnerability was discovered in the Time Machine functionality due to missing validation of two input parameters. Impact An authenticated user with limited privileges, by issuing a specifically-crafted request, can potentially alter the structure and content of files in t...

Authenticated SQL Injection on Alert functionality in Guardian/CMC before 25.2.0

Summary A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. Impact An authenticated user with limited privileges can execute arbitrary SQL statements on the DBMS used by the web application, potentially exposing unauthorized...

Incorrect authorization for CLI in Guardian/CMC before 25.2.0

Summary An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. Impact An authenticated user with limited privileges can issue administrative CLI commands, altering the device...

Client-side path traversal in Guardian/CMC before 25.2.0

Summary A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. Impact An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a...

Incorrect authorization for traces request/download in CMC before 25.1.0

Summary An access control vulnerability was discovered in the Request Trace and Download Trace functionalities due to a specific access restriction not being properly enforced for users with limited privileges. Impact An authenticated user with limited privileges can request and download trace...

Privilege escalation in Guardian/CMC before 24.6.0

Summary A privilege escalation vulnerability may enable a service account to elevate its privileges. Impact The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execute arbitrary commands as that...

Authenticated RCE in update functionality in Guardian/CMC before 24.6.0

Summary An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. Impact Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC...

Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0

Summary An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. Impact If a logged-in user with reporting privileges learns how to create a specific application request, they might be...

Unsafe temporary data privileges on Unix systems in Arc before v1.6.0

Summary On Unix systems Linux, MacOS, Arc uses a temporary file with unsafe privileges. Impact By tampering with such file, a malicious local user in the system may be able to trigger arbitrary code execution with root privileges. Mitigation N/A Solution Upgrade to v1.6.0 or later...

Missing authentication for local web interface in Arc before v1.6.0

Summary When configuring Arc e.g. during the first setup, a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. Impact A malicious local user or process,...

Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0

Summary On Windows systems, the Arc configuration files resulted to be world-readable. Impact This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration files. Mitigation N/A Solution Upgrade to v1.6.0 or later...

Path traversal via 'zip slip' in Arc before v1.6.0

Summary Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. Impact An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have...

Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1

Summary Audit records for OpenAPI requests may include sensitive information. Impact Unauthorized access, privilege escalation. Mitigation Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, i...

DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1

Summary A Denial of Service Dos vulnerability in Nozomi Networks Guardian, caused by improper input validation in certain fields used in the Radius parsing functionality of our IDS, allows an unauthenticated attacker sending specially crafted malformed network packets to cause the IDS module to...

Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0

Summary A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Impact Malicious unauthenticated users with knowledge on the underlying...

Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0

Summary A SQL Injection vulnerability has been found in Nozomi Networks Guardian and CMC, due to improper input validation in certain parameters used in the Query functionality. Impact Authenticated users may be able to execute arbitrary SQL statements on the DBMS used by the web application...

SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0

Summary A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application ...

DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0

Summary A Denial of Service Dos vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, allows an unauthenticated attacker to crash the IDS module by sending specially crafted malformed network...

DoS via SAML configuration in Guardian/CMC before 22.6.2

Summary An authenticated administrator can upload a SAML configuration file with the wrong format, with the application not checking the correct file format. Every subsequent application request will return an error. Impact The whole application in rendered unusable until a console intervention...

Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2

Summary A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the alertscount component, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application. Impact Authenticated users may be able to...

Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2

Summary An access control vulnerability was found, due to the restrictions that are applied on actual assertions not being enforced in their debug functionality. Impact An authenticated user with reduced visibility can obtain unauthorized information via the debug functionality, obtaining data th...

Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2

Summary A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application. Impact Authenticated users may be able to extra...

Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2

Summary An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Impac...

Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2

Summary A partial DoS vulnerability has been detected in the Reports section, exploitable by a malicious authenticated user forcing a report to be saved with its name set as null. Impact The reports section will be partially unavailable for all later attempts to use it, with the report list...

Session Fixation in Guardian/CMC before 22.6.2

Summary In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Thus an authenticated local attacker may gain acces to the original user's session. Impact Unauthorized...

Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2

Summary A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the Alerts controller, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application. Impact Authenticated users can extract arbitrary...

Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0

Summary Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticated attacker with admin or import manager roles to execute unattended commands on the appliance using web server user privileges. Impact Users with admin or import manage...

Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0

Summary Improper Input Validation vulnerability in custom report logo upload in Nozomi Networks Guardian and CMC allows an authenticated attacker with admin or report manager roles to execute unattended commands on the appliance using web server user privileges. Impact Users with admin or report...

Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4

Summary An OS command injection vulnerability in the management interface allows an authenticated administrator to execute arbitrary OS commands gaining access to the system. Impact Authenticated web GUI administrator can execute a command on the local system and then escalate privilege to the ro...

Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4

Summary An authenticated command path traversal vulnerability in the management interface allows an authenticated administrator to read-protected system files. Impact Authenticated web GUI administrator can force the system to copy system files to the wrong location allowing him to read the...

Angular template injection on custom report name field

Summary Report name field is affected by angular template injection which can lead to XSS attacks. Impact Custom report name field can lead to XSS attacks by malicious users. The attacker must have a valid Guardian/CMC login with the ‘Report editor’ capability to leverage this. Mitigation None...

Cross-site request forgery attack on change password form

Summary Change password doesn't validate CSRF token properly. Impact An attacker can force the victim to change password without knowing. To successfully complete this attack the victim needs to be logged to the Guardian/CMC and visit a special prepared page containing the forged change password...