9/11/2023 0 Comments Lansweeper 8![]() ![]() ![]() In such a way, none of the characters used by us will be removed in line 153,” the advisory says. Unfortunately this check is not proper, and we can simply bypass it by setting e.g value of name = text5 to e.g Loginmessage or loginmessage. ![]() There is a sanitization attempt for both mentioned fields in line 240 before they get updated with a value of parameter value = text4. “An attacker controlling parameters value and name is able to set new values for table fields such as loginmessage and loginfootertext. In the case of the XSS flaw, it’s a stored XSS that allows an attacker to inject arbitrary JavaScript. Lansweeper 9.2.0 incorporates fixes for these issues.” Talos tested and confirmed this version is affected by these vulnerabilities. ![]() “Users are encouraged to update these affected products as soon as possible: Users are encouraged to update these affected products as soon as possible: Lansweeper version 9.1.20.2. An adversary needs to be authenticated and have proper permissions to exploit these vulnerabilities,” the Talos advisory says. “The HTTP request can trigger an error that eventually allows the attacker to inject SQL code. Three of the vulnerabilities are SQL injection bugs, while the other is a cross-site scripting vulnerability. aspx file and an attacker could send a malicious HTTP request to a vulnerable device to inject malicious code. 21.Įach of the vulnerabilities is in an individual. Researchers at Cisco Talos discovered the flaws and reported them to Lansweeper, which released an update to address them on Feb. Lansweeper is widely used in enterprises for asset discovery, management, and security management. The four vulnerabilities affect version 9.1.20.2 of the Lansweeper platform. Researchers have uncovered several vulnerabilities in the Lansweeper IT asset management platform that could allow an attacker to inject malicious code on a targeted device. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |