Filtered by vendor Nedi
Subscriptions
Filtered by product Nedi
Subscriptions
Total
26 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-14413 | 1 Nedi | 1 Nedi | 2024-08-04 | 6.1 Medium |
NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value. | ||||
CVE-2020-14412 | 1 Nedi | 1 Nedi | 2024-08-04 | 8.8 High |
NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter. (This can also be exploited via CSRF.) | ||||
CVE-2021-26753 | 1 Nedi | 1 Nedi | 2024-08-03 | 9.9 Critical |
NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data. | ||||
CVE-2021-26752 | 1 Nedi | 1 Nedi | 2024-08-03 | 8.8 High |
NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data. | ||||
CVE-2021-26751 | 1 Nedi | 1 Nedi | 2024-08-03 | 8.8 High |
NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application. | ||||
CVE-2022-40895 | 1 Nedi | 1 Nedi | 2024-08-03 | 9.1 Critical |
In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=. |