QNAP QTS version 4.2.1 Build 20160601 suffers from an arbitrary file overwrite vulnerability.
1b6b302fa261390c5f0c6aa9787378c2eaa3685d815a17a90ab3bfb40b207096The SySS GmbH found out that different functions of the web application perfact::mpa are prone to persistent cross-site scripting attacks due to insufficient user input validation.
3de9ebd0a6d7d71bc98db0dbfca47d2036e6cb55c8c5730f0710bc34b796c3d7The SySS GmbH found out that different resources of the web application perfact::mpa can be directly accessed by the correct URL due to improper user authorization checks. That is, unauthorized users can access different functions of the perfact::mpa web application.
9ddb061b9a0b9ab1cc362d42499ce13c2180721efde797ef3793f8df0246c9b2The SySS GmbH found out that the web application perfact:mpa accepts user-controlled input via the URL parameter "redir" that can be used to redirect victims to an arbitrary site which simplifies so-called phishing attacks.
1240006c91f037df38cbcd2cbcc641d8f0ac32f2445fa4d65f159730f692deb7The SySS GmbH found out that any logged in user is able to download valid VPN configuration files of arbitrary existing remote sessions. All an intruder needs to know is the URL with the dynamic parameter "brsessid". Due to the modification of this incremental increasing integer value, it is possible to enumerate and download a valid VPN configuration file for every existing remote session.
0395cba8a67f491b8450abca96173ea16da49abe7cd6b3f2d88cf3e02d04710cThe tested web application perfact::mpa offers no protection against cross-site request forgery (CSRF) attacks. This kind of attack forces end users respectively their web browsers to perform unwanted actions in a web application context in which they are currently authenticated.
2b1425b7f0db4e14f7b33d9778f0a59b7e1c1b93b42771c51ac1b69ae8116af3SySS GmbH found out that unauthorized users are able to download arbitrary files of other users that have been uploaded via the file upload functionality. As the file names of uploaded files are incremental integer values, it is possible to enumerate and download all uploaded files without any authorization.
b599bdab77ad574016e3a7c31c5ca968b8a2daac827a37f269eb26e143e5fe99SySS GmbH found out that the request new user and translation functionalities of the web application perfact::mpa are prone to reflected cross-site scripting attacks.
c41cae5aadb2813a38940d61e582bbde74c6eac30c32083652ec5ccf789a03e0OpenCms version 9.5.2 suffers from a cross site scripting vulnerability.
90836f4c2cffaaf16a53502663f30a5c82ff5d7140b8933a573d1c03a30e34a1Thru Managed File Transfer Portal version 9.0.2 suffers from an insecure direct object reference vulnerability in the contacts list functionality.
04bf2eec97770c7bbdcc28f9522714c4b0542d404957116ca9741cfcd118f04aThru Managed File Transfer Portal version 9.0.2 suffers from an insecure direct object reference vulnerability in the upload functionality.
f0fc879814ce1f79dd42f81a3bfde9648a14d4d21f9c544a934eff7660ae4c39The Thru Managed File Transfer application version 9.0.2 allows both unauthenticated and authenticated users to upload files, including viruses.
178fc60f24aa280af3d976a9ac3ef913d89f1c7872bc906e522d80c60a97306bThru Managed File Transfer Portal version 9.0.2 suffers from an insecure direct object reference vulnerability that references log data.
2147fd1a7ff3b5ec34b6336e5ee66f68da4bfc155effb2b3a760db009af938d9Novell Filr version 1.2.0 build 846 suffers from a cross site scripting vulnerability.
86b28f39cecdb7be563acb8a2f24c7e992a2c156cabd954c2ee3d4d4d3b8da2dThru Managed File Transfer Portal version 9.0.2 suffers from a remote SQL injection vulnerability.
e5c2bd00a93ce0b886ab5d27c5ecc5d879763a1889a4729da8faf34af093fd77Thru Managed File Transfer Portal version 9.0.2 suffers from a cross site scripting vulnerability.
e0c6c0e9ba1dfbb79a77ae2d57381ec098b0846532313373f1f0ef0c0886b5c6ownCloud versions 8.2.1 and below, 8.1.4 and below, and 8.0.9 and below suffer from an information exposure vulnerability via directory listings.
2a03e49b47f5b92a36e0f7c8b25d095b6e9255abca3e8fe34b1f15409b04a89csysPass versions 1.1.2.23 and below suffer from a cross site scripting vulnerability.
fccd3f6bd7b3f2d36da082f59aaa70d871cc6f8aa84ce409fb7f5e31656b9346sysPass versions 1.0.9 and below allow for system backups to be downloaded by an external attacker.
3f4f1197fb6b356561f3a5d4c13b670af0b0739a649d539b75953ebc8ae7b8d5An improper validation check in Wirecard Checkout Page version 1.0 allows for price manipulation.
4ffd92860793ff45edfbcf60723efee162f13fe3376e2ff564acfa3643017ba4Password Safe and Repository Enterprise version 7.4.4 Build 2247 suffers from remote SQL injection and authentication bypass vulnerabilities.
912329f72ad8b3fa3e4c5025c1548e060893d43692df38044806d8bed8cc8a2bPassword Safe and Repository Enterprise version 7.4.4 Build 2247 suffers from insufficiently protecting credentials by using an unsalted MD5 hash for protection.
aa3f253285227ed11f229a3e22241cb871c5accd91980275c406e839bee0740fSecure MFT versions 2013 R3, 2014 R1/R2, and 2015 R1 suffer from a cross site request forgery vulnerability.
7b7b950f13f6e8a3166c6357b150cb9a151e2570df70f27a19579dd07eb18a21By analyzing the password-based authentication for unloading the Kaspersky Small Office Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the module avpmain.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Small Office Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.
f56f7f4ad60158ad733a4f73ea4635638de505c45f25ef6e8047b7a8a8e5a7ceThe SySS GmbH found out that the admin password for protecting different functions of the Kaspersky Endpoint Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.
8a7c74b5cbb75ec15cb0f9a3938c69c29a10c97069f7ba7e4871500310fbc21cBy analyzing the password-based authentication for unloading the Kaspersky Endpoint Security for Windows protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe, which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Endpoint Security for Windows in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.
2d0462fc09a2607d7ee16b44834d6ec901e61cace833e168b9102654473f32bc
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed