sonicwall scrutinizer Security Vulnerabilities

7 Vulnerabilities
Description

Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to change user passwords via the user ID in the savePrefs parameter in a change password request to cgi-bin/admin.cgi.

Impacted versions: 11.0.1

Base Score: 5.5, Severity: MEDIUM, ID: CVE-2014-4976, Last Modified: 2018-03-12T17:23:00Z

References

Third Party Advisory Third Party Advisory Mailing List Mailing List Third Party Advisory Third Party Advisory Third Party Advisory Third Party Advisory Third Party Advisory Exploit Exploit

Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php.

Impacted versions: 11.0.1

Base Score: 6.5, Severity: MEDIUM, ID: CVE-2014-4977, Last Modified: 2018-03-12T17:23:00Z

References

Third Party Advisory Third Party Advisory Third Party Advisory Third Party Advisory Mailing List Mailing List Third Party Advisory Third Party Advisory Third Party Advisory Third Party Advisory Third Party Advisory Exploit Exploit Third Party Advisory Third Party Advisory

d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote attackers to create or overwrite arbitrary files in %PROGRAMFILES%\Scrutinizer\snmp\mibs\ via a multipart/form-data POST request.

Impacted versions: *

Base Score: 9.4, Severity: HIGH, ID: CVE-2012-2627, Last Modified: 2018-03-12T17:21:00Z

References

Broken Link Third Party Advisory

The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session.

Impacted versions: *

Base Score: 7.5, Severity: HIGH, ID: CVE-2012-3951, Last Modified: 2018-03-12T17:21:00Z

References

Third Party Advisory Exploit Exploit

SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter.

Impacted versions: *

Base Score: 6.5, Severity: MEDIUM, ID: CVE-2012-2962, Last Modified: 2018-03-12T17:21:00Z

References

Third Party Advisory Exploit Exploit Exploit Third Party Advisory Third Party Advisory Broken Link Third Party Advisory Exploit Exploit Exploit Broken Link Broken Link Third Party Advisory Third Party Advisory

cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action.

Impacted versions: *

Base Score: 5.0, Severity: MEDIUM, ID: CVE-2012-2626, Last Modified: 2018-03-08T19:03:00Z

References

Broken Link Broken Link Exploit Exploit

Multiple cross-site scripting (XSS) vulnerabilities in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to d4d/exporters.php, (2) the HTTP Referer header to d4d/exporters.php, or (3) unspecified input to d4d/contextMenu.php.

Impacted versions: *

Base Score: 4.3, Severity: MEDIUM, ID: CVE-2012-3848, Last Modified: 2018-03-08T18:30:00Z

References

Broken Link Broken Link Exploit Exploit
Free Home-Networking Courses, tutorials and security checklists

USAGE: Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.