5 matches found
CVE-2022-28862
Affected product : Archibus Web Central. Vulnerability : SQL Injection in dwr/call/plaincall/workflow.runWorkflowRule.dwr prior to 26.2, allowing arbitrary SQL to modify query syntax and perform unauthorized operations against the remote database. Root cause : lack of validation of externally ent...
CVE-2021-41554
ARCHIBUS Web Central 21.3.3.815 suffers improper access control: requests to /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, and /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw do not verify p...
CVE-2021-41553
In ARCHIBUS Web Central 21.3.3.815 (2014), the Web Application at /archibus/login.axvw assigns a session token that can already be in use by another user. After login, the app does not issue a new token, continuing to use the inserted token as the session identifier. It is also possible to set th...
CVE-2022-45165
CVE-2022-45165 affects Archibus Web Central 2022.03.01.107 where a service accepts a user-controlled parameter to build an SQL query, making it prone to SQL injection. Reported impacts include potential high-severity concerns (per CVSS metrics: confidentiality and integrity impacts reported). Pub...
CVE-2021-41555
CVE-2021-41555 affects ARCHIBUS Web Central 21.3.3.815 and earlier. The vulnerability is an XSS in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr where input data from clients is re-included in the HTTP response without proper validation, allowing HTML or client-side code (e.g., JavaSc...