lodestone-security/CVEs

GitHub

github.com

Releases0

Stars4

CVEs reported by Lodestone Security.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-13168 ↗	Oct 2, 2020Friday, 2 October 2020, 09:15	6.1 MEDIUM	4.3 MEDIUM
SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter.
CVE-2019-18869 ↗	May 7, 2020Thursday, 7 May 2020, 14:15	9.8 CRITICAL	7.5 HIGH
Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allows a user to execute arbitrary php code via /default.php?idx=17.
CVE-2019-18864 ↗	May 7, 2020Thursday, 7 May 2020, 14:15	7.5 HIGH	5 MEDIUM
/server-info and /server-status in Blaauw Remote Kiln Control through v3.00r4 allow an unauthenticated attacker to gain sensitive information about the host machine.
CVE-2019-18866 ↗	May 7, 2020Thursday, 7 May 2020, 14:15	7.5 HIGH	5 MEDIUM
Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database.
CVE-2019-18870 ↗	May 7, 2020Thursday, 7 May 2020, 14:15	6.5 MEDIUM	4 MEDIUM
A path traversal via the iniFile parameter in excel.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to download arbitrary files from the host machine.
CVE-2019-18871 ↗	May 7, 2020Thursday, 7 May 2020, 14:15	8.8 HIGH	6.5 MEDIUM
A path traversal in debug.php accessed via default.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to upload arbitrary files, leading to arbitrary remote code execution.
CVE-2019-18872 ↗	May 7, 2020Thursday, 7 May 2020, 14:15	7.5 HIGH	5 MEDIUM
Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234).
CVE-2019-18865 ↗	May 7, 2020Thursday, 7 May 2020, 13:15	5.3 MEDIUM	5 MEDIUM
Information disclosure via error message discrepancies in authentication functions in Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to enumerate valid usernames.
CVE-2019-18867 ↗	May 7, 2020Thursday, 7 May 2020, 13:15	7.5 HIGH	5 MEDIUM
Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. This affects /ajax/, /common/, /engine/, /flash/, /images/, /Images/, /jscripts/, /lang/, /layout/, /programs/, and /sms/.
CVE-2019-18868 ↗	May 7, 2020Thursday, 7 May 2020, 13:15	9.8 CRITICAL	5 MEDIUM
Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak.
CVE-2019-16404 ↗	Oct 21, 2019Monday, 21 October 2019, 23:15	8.8 HIGH	6.5 MEDIUM
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17409 ↗	Oct 21, 2019Monday, 21 October 2019, 01:15	6.1 MEDIUM	4.3 MEDIUM
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-16862 ↗	Oct 21, 2019Monday, 21 October 2019, 01:15	6.1 MEDIUM	4.3 MEDIUM
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVE-2019-17179 ↗	Oct 4, 2019Friday, 4 October 2019, 19:15	6.1 MEDIUM	4.3 MEDIUM
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1