Security
Headlines
HeadlinesLatestCVEs

Headline

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Configuration Disclosure

FatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 is vulnerable to an unauthenticated configuration disclosure when a direct object reference is made to the backup archive file using an HTTP GET request.

Packet Storm

Related news

CVE-2021-42336: TWCERT/CC台灣電腦網路危機處理暨協調中心-驊鉅數位科技 Easytest線上學習測驗平台 - Stored XSS

The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters.

CVE-2021-42335: TWCERT/CC台灣電腦網路危機處理暨協調中心-驊鉅數位科技 Easytest線上學習測驗平台 - Improper Authorization

Easytest bulletin board management function of online learning platform does not filter special characters. After obtaining a user’s privilege, remote attackers can inject JavaScript and execute stored XSS attack.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Backdoor Account

FatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 has the hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in the Users menu list of the application.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Cross Site Request Forgery

The application interface FatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)

The application has a hidden administrative account 'cmuser' that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution