CVE-2015-0514
published 2015-01-21CVE-2015-0514: EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging…
PriorityP335medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
7.65%
93.8th percentile
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | vipr_srm | <= 3.6.0 | — |
| emc | watch4net | <= 6.5 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin FeedWordPress 2015.0426 - SQL Injection
exploitdb·2015-05-20·CVSS 6.5
CVE-2015-4018 [MEDIUM] WordPress Plugin FeedWordPress 2015.0426 - SQL Injection
WordPress Plugin FeedWordPress 2015.0426 - SQL Injection
---
# Exploit Title: SQLi in FeedWordPress WordPress plugin
# Date: 2015-05-19
# Exploit Author: Adrián M. F.
# Vendor Homepage: https://wordpress.org/plugins/feedwordpress/
# Vulnerable version: 2015.0426
# Fixed version: 2015.0514
# CVE : CVE-2015-4018
(1) Authenticated SQLi [CWE-89]
* CODE:
feedwordpresssyndicationpage.class.php:89
+++++++++++++++++++++++++++++++++++++++++
$targets = $wpdb->get_results("
SELECT * FROM $wpdb->links
WHERE link_id IN (".implode(",",$_POST['link_ids']).")
");
+++++++++++++++++++++++++++++++++++++++++
http://192.168.167.131/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php
POST DATA: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php
Exploit-DB
EMC M&R (Watch4net) - Credential Disclosure
exploitdb·2015-03-19·CVSS 5.0
CVE-2015-0514 [MEDIUM] EMC M&R (Watch4net) - Credential Disclosure
EMC M&R (Watch4net) - Credential Disclosure
---
Abstract
It was discovered that EMC M&R (Watch4net) credentials of remote servers stored in Watch4net are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them.
Affected products
EMC reports that the following products are affected by this vulnerability:
- EMC M&R (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1
See also
- CVE-2015-0514
- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities
- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities (login required)
Fix
EMC released the following updated versions that resolve this vulnerability:
- EMC M&R (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1
Registered cust
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2015-01/0092.htmlhttp://packetstormsecurity.com/files/130910/EMC-M-R-Watch4net-Insecure-Credential-Storage.htmlhttp://seclists.org/fulldisclosure/2015/Mar/112http://www.securityfocus.com/archive/1/534923/100/0/threadedhttp://www.securityfocus.com/bid/72257http://www.securitytracker.com/id/1031567https://www.securify.nl/advisory/SFY20141101/emc_m_r__watch4net__data_storage_collector_credentials_are_not_properly_protected.htmlhttp://archives.neohapsis.com/archives/bugtraq/2015-01/0092.htmlhttp://packetstormsecurity.com/files/130910/EMC-M-R-Watch4net-Insecure-Credential-Storage.htmlhttp://seclists.org/fulldisclosure/2015/Mar/112http://www.securityfocus.com/archive/1/534923/100/0/threadedhttp://www.securityfocus.com/bid/72257http://www.securitytracker.com/id/1031567https://www.securify.nl/advisory/SFY20141101/emc_m_r__watch4net__data_storage_collector_credentials_are_not_properly_protected.html
2015-01-21
Published