GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue.

@@ -0,0 +1,57 @@

{#

\# ---------------------------------------------------------------------

#

\# GLPI - Gestionnaire Libre de Parc Informatique

#

\# http://glpi-project.org

#

\# @copyright 2015-2022 Teclib' and contributors.

\# @copyright 2003-2014 by the INDEPNET Development Team.

\# @licence https://www.gnu.org/licenses/gpl-3.0.html

#

\# ---------------------------------------------------------------------

#

\# LICENSE

#

\# This file is part of GLPI.

#

\# This program is free software: you can redistribute it and/or modify

\# it under the terms of the GNU General Public License as published by

\# the Free Software Foundation, either version 3 of the License, or

\# (at your option) any later version.

#

\# This program is distributed in the hope that it will be useful,

\# but WITHOUT ANY WARRANTY; without even the implied warranty of

\# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

\# GNU General Public License for more details.

#

\# You should have received a copy of the GNU General Public License

\# along with this program. If not, see <https://www.gnu.org/licenses/>.

#

\# ---------------------------------------------------------------------

#}

  

{% extends 'layout/page\_card\_notlogged.html.twig' %}

  

{% block content\_block %}

<div class\="alert alert-warning"\>

<div class\="d-flex align-items-center"\>

<div class\="me-4"\>

<i class\="ti ti-alert-triangle fa-2x"\></i\>

</div\>

<div\>

<h4 class\="alert-title"\>

{{ \_\_("Error") }}

</h4\>

<div\>

{{ error }}

</div\>

  

<a href\="{{ login\_url }}" class\="btn btn-primary mt-3"\>

<i class\="ti ti-login"\></i\>

<span\>{{ \_\_('Log in again') }}</span\>

</a\>

</div\>

</div\>

</div\>

{% endblock %}

CVE-2022-31143: Do not expose CFG_GLPI on anonymous page · glpi-project/glpi@e66a0df

IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 212346.

  

**Summary**

FileNet Content Manager component Administration Console for Content Platform Engine (ACCE) user Operating System command injection security vulnerability

**Vulnerability Details**

**CVEID:**   CVE-2021-38965  
**DESCRIPTION:**   IBM FileNet Content Manager could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.  
CVSS Base score: 6.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212346 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

FileNet Content Manager

5.5.4

FileNet Content Manager

5.5.6

FileNet Content Manager

5.5.7

**Remediation/Fixes**

To resolve these vulnerabilities, install one of the patch sets listed below.

**Product**

**VRMF**

**APAR**

**Remediation/First Fix**

FileNet Content Manager

5.5.4  
5.5.6  
5.5.7

PJ46654  
PJ46654  
PJ46654

5.5.4.0-P8CPE-IF007 - 1/14/2022  
5.5.6.0-P8CPE-IF003 - 1/14/2022  
5.5.7.0-P8CPE-IF002 - 1/14/2022

  
In the above table, the APAR links will provide more information about the fix.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

14 January 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Component":"Content Platform Engine Containers, Content Platform Engine","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}\],"Version":"5.5.4; 5.5.6; 5.5.7","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2021-38965: Security Bulletin: IBM FileNet Content Manager Operating System command injection security vulnerability

IBM MQ Appliance 9.2 CD and 9.2 LTS could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts. IBM X-Force ID: 220487.

  

**Summary**

IBM MQ Appliance has resolved account enumeration and denial of service vulnerabilities.

**Vulnerability Details**

**CVEID:**   CVE-2022-22356  
**DESCRIPTION:**   IBM DataPower Gateway could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220487 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22355  
**DESCRIPTION:**   IBM MQ Appliance and IBM DataPower Gateway are vulnerable to a denial of service in the Login component of the application which could allow an attacker to cause a drop in performance.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220486 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM MQ Appliance

9.2 CD

IBM MQ Appliance

9.2 LTS

**Remediation/Fixes**

These vulnerabilities are addressed under IT40182

**IBM strongly recommends addressing the vulnerability now.**

**IBM MQ Appliance version 9.2 LTS**

**IBM MQ Appliance version 9.2 CD**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

04 April 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU053","label":"Cloud \\u0026 Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"9.2.0.0;9.2.0.1;9.2.0.2;9.2.0.3;9.2.0.4;9.2.0.5;9.2.1;9.2.2;9.2.3;9.2.4;9.2.5","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}\]

CVE-2022-22356: Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355)

An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Unauthenticated remote command execution can occur via the management portal.

**Revision History**

*   1.0: November 30, 2022 – Initial Public Release

**Summary**

Veritas has addressed vulnerabilities impacting both NetBackup Flex Scale and Access Appliance

**Issues**

**Issue #1 - Unauthenticated Remote Command Execution**

Access Appliance and NetBackup Flex Scale are vulnerable to an unauthenticated remote command execution vulnerability.

*   CVE ID: TBA
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
*   Affected Product & Version:
    *   NetBackup Flex Scale 3.0 and prior
    *   Access Appliance 8.0.100 and prior
*   Recommended Action:
    *   NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix
    *   Access Appliance: Upgrade to 7.4.3.300 or 8.0.100 and apply corresponding HotFix.

**Issue #2 – Authenticated Remote Command Execution**

Access Appliance and NetBackup Flex Scale are vulnerable to an authenticated remote command execution vulnerability

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   Affected Product & Version:
    *   NetBackup Flex Scale 3.0 and prior
    *   Access Appliance 8.0.100 and prior
*   Recommended Action:
    *   NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix
    *   Access Appliance: Upgrade to version 7.4.3.300 or 8.0.100 and apply corresponding HotFix.

**Issue #3 – Default Credentials Persisted for Primary User**

A default password is persisted after installation and may be discovered and used to escalate privileges.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   Affected Product & Version:
    *   NetBackup Flex Scale 3.0 and prior
    *   Access Appliance 8.0.100 and prior
*   Recommended Action:
    *   NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix
    *   Access Appliance: Upgrade to 7.4.3.300 or 8.0.100 and apply corresponding HotFix.

**Issue #4 – Restricted Shell Allows Escape to Regular Shell**

It is possible for a non-privileged user to escape a restricted shell and execute privileged commands.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   Affected Product & Version:
    *   NetBackup Flex Scale 3.0 and prior
*   Recommended Action:
    *   NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix

**Issue #5 – Shell Privilege Escalation**

An attacker with non-root privileges may escalate privileges to root using specific commands.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   Affected Product & Version:
    *   NetBackup Flex Scale 3.0 and prior
*   Recommended Action:
    *   NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix

**Notes**

To download the appropriate Hot Fix for NetBackup Flex Scale or Access Appliance, please see the Veritas Support Download page.

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-46414: Hotfix for Security Advisory Impacting NetBackup Flex Scale and Access Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Authenticated remote command execution can occur via the management portal.

CVE-2022-46413: Hotfix for Security Advisory Impacting NetBackup Flex Scale and Access Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0. A non-privileged user may escape a restricted shell and execute privileged commands.

CVE-2022-46412: Hotfix for Security Advisory Impacting NetBackup Flex Scale and Access Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. A default password is persisted after installation and may be discovered and used to escalate privileges.

CVE-2022-46411: Hotfix for Security Advisory Impacting NetBackup Flex Scale and Access Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0. An attacker with non-root privileges may escalate privileges to root by using specific commands.

CVE-2022-46410: Hotfix for Security Advisory Impacting NetBackup Flex Scale and Access Appliance

A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later

<< Back to Security Advisory List

*   **Release date:** January 30, 2023
*   **Security ID:** QSA-23-01
*   **Severity:** Critical
*   **CVE identifier:** CVE-2022-27596
*   **Affected products:** QTS 5.0.1, QuTS hero h5.0.1
*   **Status:** Resolved

**Summary**

A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following operating system versions:

*   QTS 5.0.1.2234 build 20221201 and later
*   QuTS hero h5.0.1.2248 build 20221215 and later

**Recommendation**

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

**Updating QTS or QuTS hero**

1.  Log in to QTS or QuTS hero as an administrator.
2.  Go to **Control Panel** > **System** > **Firmware Update**.
3.  Under **Live Update**, click **Check for Update**.  
    QTS or QuTS hero downloads and installs the latest available update.

**Tip:** You can also download the update from the QNAP website. Go to **Support** > **Download Center** and then perform a manual update for your specific device.

**Attachment**

*   CVE-2022-27596.json

**Acknowledgements:** huasheng\_mangguo

**Revision History:** V1.0 (January 30, 2023) - Published

CVE-2022-27596: Vulnerability in QTS and QuTS hero - Security Advisory

Proof of concept exploit for Check Point Security Gateways that allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us