6 matches found
CVE-2021-46354
CVE-2021-46354 affects Thinfinity VirtualUI versions 2.1.28.0, 2.1.32.1, and 2.5.26.2; fixed in 3.0. The vulnerability is an information disclosure caused by the Addr parameter in the cmd site, enabling the vulnerable server to send requests to external systems and potentially reveal the real IP ...
CVE-2021-45092
CVE-2021-45092 affects Thinfinity VirtualUI prior to 3.0. Affected component: the /lab.html endpoint (reachable by default), where the vpath parameter can be used to inject an IFRAME. Under the described conditions, exploitation could lead to iframeing external sites, with potential impact depend...
CVE-2021-44848
Thinfinity VirtualUI (before 3.0) has a user-enumeration flaw in /changePassword: responses differ based on whether the username exists, enabling an attacker to determine valid usernames (e.g., Administrator, Guest). This credential disclosure stems from the authentication response behavior and i...
CVE-2019-16384
CVE-2019-16384 affects Cybele Software Thinfinity VirtualUI (version 2.5.17.2). The vulnerability is a path traversal flaw that allows accessing files outside the web directory if the attacker knows the exact location and has permissions. Root cause described as improper filtering of path element...
CVE-2019-16385
Cybele Thinfinity VirtualUI 2.5.17.2 is affected by CVE-2019-16385 due to an HTTP response splitting flaw via the mimetype parameter in a PDF viewer request, enabling a reflected XSS when a user loads a malicious PDF request (example.pdf?mimetype=...). Red Hat advisory RH:CVE-2019-16385 corrobora...
CVE-2021-44554
CVE-2021-44554 affects Thinfinity VirtualUI prior to 3.0. The vulnerability allows an unauthenticated attacker to enumerate Windows OS usernames via the /changePassword URI, returning messages that reveal whether a username exists, with language variation based on VirtualUI configuration (example...