vembu 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、vendor risk csrf, and パス処理の欠陥 があり、vendor surface software deployment and vendor surface production workloads の利用場面で ファイル上書き and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2021-43458 | An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths. | [email protected] | 7.8 | 0.08% | 2022-04-04 | 2024-11-21 |
| CVE-2021-26474 | Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.) | [email protected] | 8.6 | 0.17% | 2021-06-08 | 2024-11-21 |
| CVE-2021-26473 | In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server. | [email protected] | 9.8 | 0.74% | 2021-06-08 | 2024-11-21 |
| CVE-2021-26472 | In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges. | [email protected] | 10.0 | 10.71% | 2021-06-08 | 2024-11-21 |
| CVE-2021-26471 | In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands. | [email protected] | 9.8 | 7.87% | 2021-06-08 | 2024-11-21 |
| CVE-2014-10079 | In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash. | [email protected] | 5.3 | 9.72% | 2019-02-23 | 2024-11-21 |
| CVE-2014-10078 | Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php. | [email protected] | 6.1 | 1.66% | 2019-02-23 | 2024-11-21 |