This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Nedi First view 2020-06-26
Product Nedi Last view 2020-11-02
Version 1.9c Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:nedi:nedi

Activity : Overall

Related : CVE

  Date Alert Description
5.4 2020-11-02 CVE-2020-23989

NeDi 1.9C allows pwsec.php oid XSS.

5.4 2020-11-02 CVE-2020-23868

NeDi 1.9C allows inc/rt-popup.php d XSS.

5.4 2020-07-07 CVE-2020-15037

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.

5.4 2020-07-07 CVE-2020-15036

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.

5.4 2020-07-07 CVE-2020-15035

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Map.php hde parameter.

5.4 2020-07-07 CVE-2020-15034

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Setup.php tet parameter.

5.4 2020-07-07 CVE-2020-15033

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the snmpget.php ip parameter.

5.4 2020-07-07 CVE-2020-15032

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Incidents.php id parameter.

5.4 2020-07-07 CVE-2020-15031

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php chg parameter.

5.4 2020-07-07 CVE-2020-15030

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Routes.php rtr parameter.

5.4 2020-07-07 CVE-2020-15029

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter.

5.4 2020-07-07 CVE-2020-15028

NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.

8.8 2020-06-29 CVE-2020-14414

NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)

6.1 2020-06-29 CVE-2020-14413

NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.

8.8 2020-06-29 CVE-2020-14412

NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter. (This can also be exploited via CSRF.)

6.1 2020-06-26 CVE-2020-15017

NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices-Config.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the sta GET parameter.

6.1 2020-06-26 CVE-2020-15016

NeDi 1.9C is vulnerable to reflected cross-site scripting. The Other-Converter.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the txt GET parameter.

CWE : Common Weakness Enumeration

%idName
88% (15) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
11% (2) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...