Vulnerabilities (CVE)

Filtered by vendor Eyesofnetwork Subscribe
Filtered by product Eyesofnetwork
Total 36 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-41571 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 N/A 9.8 CRITICAL
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Local file inclusion can occur.
CVE-2022-41570 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 N/A 9.8 CRITICAL
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Unauthenticated SQL injection can occur.
CVE-2022-24612 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 3.5 LOW 5.4 MEDIUM
An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS.
CVE-2021-40643 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 10.0 HIGH 9.8 CRITICAL
EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerability on the mail options configuration page. In the location of the "sendmail" application in the "cacti" configuration page (by default/usr/sbin/sendmail) it is possible to execute any command, which will be executed when we make a test of the configuration ("send test mail").
CVE-2021-33525 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 9.0 HIGH 8.8 HIGH
EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.
CVE-2021-27514 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 7.5 HIGH 9.8 CRITICAL
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).
CVE-2021-27513 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 6.5 MEDIUM 8.8 HIGH
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
CVE-2020-9465 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie.
CVE-2020-8657 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
CVE-2020-8656 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
CVE-2020-8655 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 9.3 HIGH 7.8 HIGH
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
CVE-2020-8654 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 9.0 HIGH 8.8 HIGH
An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field.
CVE-2020-27887 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 9.0 HIGH 8.8 HIGH
An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php.
CVE-2020-27886 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php).
CVE-2020-24390 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
eonweb in EyesOfNetwork before 5.3-7 does not properly escape the username on the /module/admin_logs page, which might allow pre-authentication stored XSS during login/logout logs recording.
CVE-2019-14923 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 6.5 MEDIUM 8.8 HIGH
EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.
CVE-2017-6088 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 9.0 HIGH 7.2 HIGH
Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter to module/monitoring_ged/ged_functions.php or the (5) type parameter to monitoring_ged/ajax.php.
CVE-2017-16000 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 6.5 MEDIUM 7.2 HIGH
SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php.
CVE-2017-15933 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 6.5 MEDIUM 7.2 HIGH
SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the host parameter to module/capacity_per_device/index.php.
CVE-2017-15880 1 Eyesofnetwork 1 Eyesofnetwork 2024-11-21 6.5 MEDIUM 7.2 HIGH
SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the group_name parameter to module/admin_group/add_modify_group.php (for insert_group and update_group).