Zenoss: Security Vulnerabilities
Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain access via a brute-force attack, aka ZEN-15406.
CVSS Score
5.0
EPSS Score
0.005
Published
2014-12-15
Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389.
CVSS Score
4.0
EPSS Score
0.003
Published
2014-12-15
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382.
CVSS Score
5.0
EPSS Score
0.005
Published
2014-12-15
Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by (1) spoofing the callhome server or (2) deploying a crafted web site that is visited during a login session, aka ZEN-12657.
CVSS Score
9.3
EPSS Score
0.019
Published
2014-12-15
Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote attackers to execute arbitrary commands or cause a denial of service (paging outage) by leveraging an unattended workstation, aka ZEN-15412.
CVSS Score
6.8
EPSS Score
0.011
Published
2014-12-15
Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to CVE-2003-1564.
CVSS Score
5.0
EPSS Score
0.006
Published
2014-12-15
An unspecified endpoint in Zenoss Core through 5 Beta 3 allows remote attackers to cause a denial of service (CPU consumption) by triggering an arbitrary regular-expression match attempt, aka ZEN-15411.
CVSS Score
5.0
EPSS Score
0.007
Published
2014-12-15
Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL to invoke an object helper method, aka ZEN-15407.
CVSS Score
5.0
EPSS Score
0.004
Published
2014-12-15
Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directory with public (1) read or (2) execute access via a move action, aka ZEN-15386.
CVSS Score
7.5
EPSS Score
0.003
Published
2014-12-15
Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the came_from parameter, aka ZEN-11998.
CVSS Score
6.4
EPSS Score
0.005
Published
2014-12-15