Ocsinventory-ng : Security Vulnerabilities, CVEs, CVSS score >= 7
Unrestricted file upload (with remote code execution) in OCS Inventory NG ocsreports allows a privileged user to gain access to the server via crafted HTTP requests.
Max CVSS
8.8
EPSS Score
0.16%
Published
2018-11-29
Updated
2019-01-31
Unrestricted file upload (with remote code execution) in require/mail/NotificationMail.php in Webconsole in OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.
Max CVSS
8.8
EPSS Score
0.73%
Published
2018-08-06
Updated
2018-10-10
OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.
Max CVSS
9.1
EPSS Score
1.46%
Published
2018-08-04
Updated
2018-10-01
OCS Inventory 2.4.1 is prone to a remote command-execution vulnerability. Specifically, this issue occurs because the content of the ipdiscover_analyser rzo GET parameter is concatenated to a string used in an exec() call in the PHP code. Authentication is needed in order to exploit this vulnerability.
Max CVSS
9.0
EPSS Score
0.18%
Published
2018-08-04
Updated
2018-10-02
OCS Inventory 2.4.1 contains multiple SQL injections in the search engine. Authentication is needed in order to exploit the issues.
Max CVSS
8.8
EPSS Score
0.09%
Published
2018-08-04
Updated
2018-10-01
Multiple SQL injection vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to execute arbitrary SQL commands via the (1) c, (2) val_1, or (3) onglet_bis parameter.
Max CVSS
7.5
EPSS Score
0.20%
Published
2010-04-28
Updated
2017-08-17
SQL injection vulnerability in machine.php in Open Computer and Software (OCS) Inventory NG 1.02.1 allows remote attackers to execute arbitrary SQL commands via the systemid parameter, a different vector than CVE-2009-3040.
Max CVSS
7.5
EPSS Score
0.16%
Published
2009-09-01
Updated
2018-10-10
Multiple SQL injection vulnerabilities in Open Computer and Software (OCS) Inventory NG 1.02 for Unix allow remote attackers to execute arbitrary SQL commands via the (1) N, (2) DL, (3) O and (4) V parameters to download.php and the (5) SYSTEMID parameter to group_show.php.
Max CVSS
7.5
EPSS Score
0.06%
Published
2009-09-01
Updated
2018-10-10
Multiple unspecified vulnerabilities in the Server component in OCS Inventory NG before 1.02 have unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.46%
Published
2009-04-27
Updated
2009-04-28
Untrusted search path vulnerability in Agent/Backend.pm in Ocsinventory-Agent before 0.0.9.3, and 1.x before 1.0.1, in OCS Inventory allows local users to gain privileges via a Trojan horse Perl module in an arbitrary directory.
Max CVSS
7.2
EPSS Score
0.04%
Published
2009-07-09
Updated
2009-07-10
10 vulnerabilities found