CVE-2015-5970 — Code Injection in Zenworks Configuration Management

CWE-94 — Code Injection3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.5%

top 33.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Novell Zenworks Configuration Management

Timeline

PublishedFeb 18

Latest updateMay 17

Description

The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a system entity reference.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDnovell/zenworks_configuration_management5 versions+4

🔴Vulnerability Details

GHSA

GHSA-79wq-fqm7-crqp: The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11↗2022-05-17

▶

CVEList

CVE-2015-5970: The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11↗2016-02-18

▶