In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=.
CVSS Score
9.1
EPSS Score
0.009
Published
2022-10-06
NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.
CVSS Score
9.9
EPSS Score
0.006
Published
2021-02-12
NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application.
CVSS Score
8.8
EPSS Score
0.004
Published
2021-02-12
NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.
CVSS Score
8.8
EPSS Score
0.009
Published
2021-02-12
NeDi 1.9C allows inc/rt-popup.php d XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-02
NeDi 1.9C allows pwsec.php oid XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-02
NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Routes.php rtr parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php chg parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-07-07
Page 1