Security
Headlines
HeadlinesLatestCVEs

Source

Zero Science Lab

OpenBMCS 2.4 Create Admin / Remote Privilege Escalation

The application suffers from an insecure permissions and privilege escalation vulnerability. A regular user can create administrative users and/or elevate her privileges by sending an HTTP POST request to specific PHP scripts in '/plugins/useradmin/' directory.

Zero Science Lab
#vulnerability
OpenBMCS 2.4 Authenticated SQL Injection

OpenBMCS suffers from an SQL Injection vulnerability. Input passed via the 'id' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

OpenBMCS 2.4 CSRF Send E-mail

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw

The application doesn't allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with 'viewer' or 'operator' permissions has been added by the default admin user 'i3admin', a PUT request can be issued calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account.

i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw

The application doesn't allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with 'viewer' or 'operator' permissions has been added by the default admin user 'i3admin', a PUT request can be issued calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account.

Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)

The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials within their Linux distribution image. This weakness can lead to the exposure of resources or functionality to unintended actors, providing attackers with sensitive information including executing arbitrary code.

Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation

The application suffers from a privilege escalation vulnerability. A normal user (group USER, 0) can elevate her privileges by sending a HTTP POST request and setting the JSON parameter 'privilege' to integer value '1' gaining administrative rights (group ADMINISTRATOR, 1).

FatPipe Networks WARP 10.2.2 Authorization Bypass

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)

The application has a hidden administrative account 'cmuser' that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.