CyberArk Credential Providers and possibly other Vault components use credential files to store usernames and encrypted passwords. Under certain conditions, the effective key space used to encrypt the passwords is significantly reduced. For an attacker who understands the key derivation scheme and encryption mechanics, full access to the information used to derive the encryption key is sufficient to reduce effective key space to one. With partial access, the effective key space can vary depending on the information available, and a number of those variations are unlikely to withstand brute force attacks. Versions prior to 12.1 are affected.
5892fd05072b614b7847d3f43b864bd8335e297210e52ccf34c86d2321cd721f
An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
6b4666c70098b4747658896c605a4f2b8c41c41c51144da20cf5be37e90a20b0
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial version 2.14-917a to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
4fe5d734ae07a38eb7770811089de30239da19ca25794be8de02bb80d866aa1f
Journyx version 11.5.4 has an issue where the soap_cgi.pyc API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
d02349f8de0a00286e575cc45dab4471af755c8a75e014e67fe77d724cd9c5fa
Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the error_description during an active directory login flow.
9a80a13f999f61d2fbcd9c872ce0429b0fdbb765e1d12b15c39ea815ad17aa65
Journyx version 11.5.4 has an issue where attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow.
3bd6b3cad1bc2ee8d0610e9fb86fce5f44fde3b2f6c6e92fc16ee37f0e43bb27
Journyx version 11.5.4 suffers from an issue where password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.
71ffa9c9bad198abbd7c7f62d4385be15d0013937d9b80df7f1749718fd1d3b1
Open WebUI version 0.1.105 suffers from arbitrary file upload and path traversal vulnerabilities.
ec5387176f30bac9fa4d3eadc1c952af22cf21e137493ca6d50297eda34a6c34
Open WebUI version 0.1.105 suffers from a persistent cross site scripting vulnerability.
658c9c08ea4ec4d262623596aacd371e3b13671c5709eaa27c2e69d347ea9ae5
Services that are running and bound to the loopback interface on the Artica Proxy version 4.50 are accessible through the proxy service. In particular, the tailon service is running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Using the tailon service, the contents of any file on the Artica Proxy can be viewed.
0693c2ce363baaef7b371443418fb29623edc052f8d82f02eea207672f271e4b
The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.
4e458aef9f797d0714e86e3cbbbe7fdd8225fa1b68b23cd60a66a992d28a4eb5
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user. Version 4.50 is affected.
8e2ee354af5fde39323dcb9b78bd8d0b892172400746b1b66015b3a87cbd8630
Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.
ee5d3d2cce629647f1cc48769c74910aca7883ad99b79b7b1c766a0e28a65ddf
Kleeja version 1.5.4 suffers from a cross site scripting vulnerability.
410a4a9f610871f42b03b0048c200005e8a0edb28fcfd26e67518ce5a6c1ccd8
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 suffers from an unpatched vulnerability in sudoedit, allowed by sudo configuration, which permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root.
9caf2d86fd42cb7a6098a98695d2f0c8ac71c65afef31f1c6345f008453f417a
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to run arbitrary commands as root via the tcpdump command without a password.
f0f074bfbbdfcf50b89b456bedfa1d6e2dad916eb9c805528576e82777cae103
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to read root-only files via the dig command without a password.
9a639b868d2a607d6808f5cc9c66c20f4c697461ce4034c2ce7534df93c6ec6e
Moxa TN-5900 versions 3.1 and below suffer from an issue where a user who has authenticated to the management web application is able to leverage a command injection vulnerability in the p12 processing code of the certificate management function web_CERMGMTUpload.
35bd8ec3c5b38937aa9d5775e8ed2feaacd3dfed7c92d6ae96cb03bf16903bcb
Moxa TN-5900 versions 3.1.0 and below use an insecure method to validate firmware updates. A malicious user with access to the management interface can upload arbitrary code in a crafted
2ac55dc0e94a52eae63ae9272eda3788cbe1002c37fa22d4db10498c8ab74404
CyberArk Credential Providers can be configured to retain passwords, password metadata, and other application properties in a local, encrypted cache file. Under certain conditions, the effective key space used to encrypt the cache is significantly reduced. For an attacker who understands the key derivation scheme and encryption mechanics, full access to the information used to derive the encryption key is sufficient to reduce effective key space to one. Even in cases where the information is not known, the encrypted cache files will likely be unable to withstand a brute force attack. However, the severity of this issue is partially mitigated by the privilege level required (root) for access. Versions prior to 12.1 are affected.
6ba600d5651668bd7a2786e7c90c3b163cf2bc3b791d517d99bf09f429b3691f
CyberArk's Credential Provider loopback communications on TCP port 18923 are encrypted with key material that has extremely low entropy. In all currently-known use cases, the effective key space is less than 2^16. For an attacker who understands the key derivation scheme and encryption mechanics, knowledge of the source port and access to the payloads of a given client-server exchange are sufficient to reduce effective key space to one. In cases where the source port is not known, the encrypted payloads will be unable to withstand a brute force attack. Additionally, the user identification mechanism used by CyberArk's Credential Provider is vulnerable to a race condition where an unauthorized/unprivileged user can submit one or more encrypted query requests. If the race is won, the attacker will be able to retrieve sensitive information including passwords and password metadata. Versions prior to 12.1 are affected.
7dede6bcc7b3021a2a5c5df1eb3c7bc0663ae7d954677866d63352936b9f568a
An upgrade account is included in the IoT Controller OVA that provides the vendor undocumented access via Secure Copy (SCP).
f6519f57eed331c93ca5644c3a83e240cb6fe2ee50133663e8ee3dad642af551
The IoT Controller web application includes a NodeJS module, node-red, which has the capability for users to read or write to local files on the IoT Controller. With the elevated privileges the web application runs as, this allowed for reading and writing to any file on the IoT Controller filesystem.
ab0f31561d42610f5ba5969c33fa30d3f807865c8f1eaac846a5b376b04319c7
A Python script (web.py) for a Dockerized webservice contains a directory traversal vulnerability, which can be leveraged by an authenticated attacker to view the contents of directories on the IoT Controller.
671f09dc7253e2fd4b96a2bd934c4db733ea5c114369ba82a1d81b35d72836f3
An undocumented, administrative-level, hard-coded web application account exists in the IoT Controller OVA which cannot be changed by the customer.
2486beac57efb14715dc2756e1ddce5fd0beb0268fa52ef3547894a1a7be04a5
Hard-coded, system-level credentials exist on the Ruckus IoT Controller OVA image, and are exposed to attackers who mount the filesystem.
df1716ceee1afc4991054f7d3e009a901d7b28289e89a2bebb461c0a64b3b1d9