Headline
CVE-2022-29539: Vulnerability Research & Advisor
resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
Finalità e modalità operative
CVE-2022-29539 – RESI S.p.A
CVE-2022-29538 – RESI S.p.A
CVE-2022-28862 – ARCHIBUS Web Central
CVE-2022-27880 – F5 Traffix Signal Delivery Controller
CVE-2022-27662 – F5 Traffix Signal Delivery Controller
CVE-2022-26484 – Veritas Operations Manager
CVE-2022-26483 – Veritas Operations Manager
CVE-2022-25344 – Olivetti d-COLOR MF3555
CVE-2022-25343 – Olivetti d-COLOR MF3555
CVE-2022-25342 – Olivetti d-COLOR MF3555
CVE-2021-41555 – ARCHIBUS Web Central
CVE-2021-41554 – ARCHIBUS Web Central
CVE-2021-41553 – ARCHIBUS Web Central
CVE-2021-38123 – Micro Focus Network Automation
CVE-2021-35492 – Wowza Streaming Engine
CVE-2021-35491 – Wowza Streaming Engine
CVE-2021-35490 – Thruk
CVE-2021-35489 – Thruk
CVE-2021-35488 – Thruk
CVE-2021-32571 – Ericsson OSS-RC
CVE-2021-32569 – Ericsson OSS-RC
CVE-2021-31540 - WOWZA Streaming Engine
CVE-2021-31539 - WOWZA Streaming Engine
CVE-2021-29661 – Softing AG OPC Toolbox
CVE-2021-29660 – Softing AG OPC Toolbox
CVE-2021-28979 - Thales SafeNet KeySecure Management Console
CVE-2021-28488 – Ericsson Network Manager
CVE-2021-28250 – CA eHealth Performance Manager
CVE-2021-28249 – CA eHealth Performance Manager
CVE-2021-28248 – CA eHealth Performance Manager
CVE-2021-28247 – CA eHealth Performance Manager
CVE-2021-28246 – CA eHealth Performance Manager
CVE-2021-26597 – NOKIA NetAct
CVE-2021-26596 – NOKIA NetAct
CVE-2021-3314 - Oracle GlassFish Server
CVE-2021-2005 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware
CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded
CVE-2020-35589 – WordPress Plugin Limit Login Attempts Reloaded
CVE-2020-28209 – Schneider Electric StruxureWare Building Operation Enterprise Server Installer – Enterprise Central Installer
CVE-2020-27583 – IBM InfoSphere Information Server
CVE-2020-17458 – MultiUX
CVE-2020-17457 – Fujitsu ServerView Suite iRMC
CVE-2020-15794 – Siemens Desigo Insight
CVE-2020-15793 – Siemens Desigo Insight
CVE-2020-15792 – Siemens Desigo Insight
CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware
CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware
CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware
CVE-2020-12081 – FlexNet Publisher
CVE-2020-9050 – Johnson Controls Metasys MREWeb Service
CVE-2020-7573 – Schneider Electric StruxureWare Building Operation WebReports
CVE-2020-7572 – Schneider Electric StruxureWare Building Operation WebReports
CVE-2020-7571 – Schneider Electric StruxureWare Building Operation WebReports
CVE-2020-7570 – Schneider Electric StruxureWare Building Operation WebReports
CVE-2020-7569 – Schneider Electric StruxureWare Building Operation WebReports
CVE-2020-2505 – QNAP QES
CVE-2020-2504 – QNAP QES
CVE-2020-2503 – QNAP QES
CVE-2019-19994 - Selesta Visual Access Manager
CVE-2019-19993 - Selesta Visual Access Manager
CVE-2019-19992 - Selesta Visual Access Manager
CVE-2019-19991 - Selesta Visual Access Manager
CVE-2019-19990 - Selesta Visual Access Manager
CVE-2019-19989 - Selesta Visual Access Manager
CVE-2019-19988 – Selesta Visual Access Manager
CVE-2019-19987 - Selesta Visual Access Manager
CVE-2019-19986 - Selesta Visual Access Manager
CVE-2019-19456 - WOWZA Streaming Engine
CVE-2019-19455 - WOWZA Streaming Engine
CVE-2019-19454 - WOWZA Streaming Engine
CVE-2019-19453 - WOWZA Streaming Engine
CVE-2019-17406 - NOKIA IMPACT
CVE-2019-17405 - NOKIA IMPACT
CVE-2019-17404 - NOKIA IMPACT
CVE-2019-17403 - NOKIA IMPACT
Related news
On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack.
Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).