CVE-2012-6658
published 2014-09-17CVE-2012-6658: Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1)…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.83%
76.2th percentile
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spiceworks | spiceworks | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c88c-rr5r-3prm: SQL injection vulnerability in SpiceWorks 5
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2012-2956 [MEDIUM] CWE-89 GHSA-c88c-rr5r-3prm: SQL injection vulnerability in SpiceWorks 5
SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS.
GHSA
GHSA-mvjr-pp8f-j699: Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2012-6658 [MEDIUM] CWE-79 GHSA-mvjr-pp8f-j699: Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types.
No detection rules found.
Exploit-DB
Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation
exploitdb·2019-04-16·CVSS 7.0
CVE-2018-19374 [HIGH] Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation
Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation
---
# Exploit Title: Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) Privilege Escalation
# Date: 15th April 2019
# Exploit Author: Digital Interruption
# Vendor Homepage: https://www.manageengine.co.uk/
# Version: 6.6 (Build 6658)
# Tested on: Windows Server 2012 R2
# CVE : CVE-2018-19374
Due to weak permissions setup on the bin, lib and tools directories within the ManageEngine installation directory, it is possible for any authenticated user to modify several core files.
To escalate privileges to that of LOCAL SYSTEM, drop a payload onto the system and then add a line to bin\ChangeJRE.bat to execute it every time the system is rebooted.
Exploit-DB
SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
exploitdb·2012-07-23
CVE-2012-6658 SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / (Authenticated) SQL Injection
---
Product: SpiceWorks
Version: 5.3.75941
Vendor Site: http://www.spiceworks.com/community/
Software Download Link: http://www.spiceworks.com/download/?utm_source=comm-secondary-link&utm_medium=website&utm_campaign=homepage
Installer Filename: Spiceworks.exe MD5: 023bd361c0f9402dc07adbc5a72fe31d
Contact: http://www.spiceworks.com/contact/
Timeline:
04 Jun 2012: Vulnerability reported to CERT
08 Jun 2012: Response received from CERT with disclosure date of 20 Jul 2012
23 Jul 2012: Updated received from CERT: No response from vendor
23 Jul 2012: Public Disclosure
SQL Injection (Post-Authentication):
http://server/api_v2.json?queries[device][class]=Device&queries[device][select]=id,b_manufacturer,man
No writeups or analysis indexed.
2014-09-17
Published