7 matches found
CVE-2024-39717
Versa Director CVE-2024-39717: Unrestricted file upload via the Change Favicon feature is exposed to administrators (Provider-Data-Center-Admin/System-Admin) after authentication, allowing a .png file to masquerade as an image and potentially lead to remote code execution. Versa issued a security...
CVE-2019-25030
CVE-2019-25030 affects Versa Director, Versa Analytics and VOS. Passwords were stored without an adaptive hash or KDF, using Merkle-Damgard-based algorithms (e.g., MD5/SHA-1), enabling rainbow-table based cracking. The connected documents indicate the mitigation is to hash with adaptive algorithm...
CVE-2019-25029
Versa Director is affected by a command injection vulnerability. The attack relies on unsafe user-supplied data being passed to a system shell, allowing execution of arbitrary commands with the privileges of the vulnerable application. Root cause: insufficient input validation. Impact is describe...
CVE-2021-39285
Versa Director 16.1R2 Build S8 contains a cross-site scripting (XSS) vulnerability. An attacker can use the administration web interface URL to inject scripts. The CVE-2021-39285 entry documents this XSS issue; no explicit exploit details, affected component is Versa Director’s web interface, and...
CVE-2018-16496
CVE-2018-16496 affects Versa Director. The issue arises from an unauthenticated request that allows an attacker to change log levels, indicating an authorization/configuration flaw. NVD metrics (CVSSv2/v3) show a Medium severity with network vector, low complexity and no authentication required; ...
CVE-2018-16498
CVE-2018-16498 affects Versa Director where unencrypted backup files stored on the Versa deployment include credentials inside configuration files for components such as SNMP and SSL/Trust keystores. The root cause is plaintext credentials in backups, enabling potential exposure if backups are ac...
CVE-2025-23168
The CVE-2025-23168 entry describes a vulnerability in Versa Director SD-WAN’s 2FA via OTP over email/SMS. The authenticated attacker can abuse untrusted input when dispatching OTPs to redirect delivery to their device, enabling interception of codes. OTP/TOTP codes are not invalidated after use, ...