Total
8 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-45896 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 9.8 CRITICAL |
Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution. | |||||
CVE-2022-45895 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 6.5 MEDIUM |
Planet eStream before 6.72.10.07 discloses sensitive information, related to the ON cookie (findable in HTML source code for Default.aspx in some situations) and the WhoAmI endpoint (e.g., path disclosure). | |||||
CVE-2022-45894 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 6.5 MEDIUM |
GetFile.aspx in Planet eStream before 6.72.10.07 allows ..\ directory traversal to read arbitrary local files. | |||||
CVE-2022-45893 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 8.8 HIGH |
Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and high-privileged user accounts by changing the value of the ON cookie. A brute-force attack can calculate a value that provides permanent access. | |||||
CVE-2022-45892 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 5.4 MEDIUM |
In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username. | |||||
CVE-2022-45891 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 9.1 CRITICAL |
Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList). | |||||
CVE-2022-45890 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 6.1 MEDIUM |
In Planet eStream before 6.72.10.07, a Reflected Cross-Site Scripting (XSS) vulnerability exists via any metadata filter field (e.g., search within Default.aspx with the r or fo parameter). | |||||
CVE-2022-45889 | 1 Planetestream | 1 Planet Estream | 2024-11-21 | N/A | 7.2 HIGH |
Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter). |