Hyland Onbase vulnerabilities
15 known vulnerabilities affecting hyland/onbase.
Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH5MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2020-25260P2CRITICALCVSS 9.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25260 [CRITICAL] CWE-502 CVE-2020-25260: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.
nvd
CVE-2020-25254P3CRITICALCVSS 9.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25254 [CRITICAL] CWE-89 CVE-2020-25254: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.
nvd
CVE-2020-25253P3CRITICALCVSS 9.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25253 [CRITICAL] CWE-89 CVE-2020-25253: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId, or Password parameter.
nvd
CVE-2020-25257P3CRITICALCVSS 9.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25257 [CRITICAL] CWE-611 CVE-2020-25257: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files.
nvd
CVE-2020-25251P3CRITICALCVSS 9.1≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25251 [CRITICAL] CWE-287 CVE-2020-25251: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information.
nvd
CVE-2020-25258P3CRITICALCVSS 9.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25258 [CRITICAL] CWE-502 CVE-2020-25258: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.
nvd
CVE-2020-25259P3CRITICALCVSS 9.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25259 [CRITICAL] CWE-502 CVE-2020-25259: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner.
nvd
CVE-2020-25252P3HIGHCVSS 8.8≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25252 [HIGH] CWE-352 CVE-2020-25252: An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.3
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).
nvd
CVE-2020-25248P3HIGHCVSS 7.5≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25248 [HIGH] CWE-22 CVE-2020-25248: An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.3
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter.
nvd
CVE-2020-25256P3CRITICALCVSS 9.1≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25256 [CRITICAL] CWE-798 CVE-2020-25256: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers' installations.
nvd
CVE-2020-25250P3HIGHCVSS 7.5≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25250 [HIGH] CVE-2020-25250: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs.
nvd
CVE-2020-25247P3HIGHCVSS 7.5≤ 18.0.0.32≥ 19.0.0.0, ≤ 19.8.9.10002020-09-11
CVE-2020-25247 [HIGH] CWE-22 CVE-2020-25247: An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. Directory t
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. Directory traversal exists for writing to files, as demonstrated by the FileName parameter.
nvd
CVE-2020-25255P3HIGHCVSS 7.5≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25255 [HIGH] CVE-2020-25255: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.
nvd
CVE-2022-23342P4MEDIUMCVSS 5.3fixed in 20.3.58.1000≥ 21.1.1.1000, ≤ 21.1.15.10002022-06-21
CVE-2022-23342 [MEDIUM] CVE-2022-23342: The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect end
nvd
CVE-2020-25249P4MEDIUMCVSS 5.3≤ 16.0.2.83≥ 17.0.0.0, ≤ 17.0.2.109+3 more2020-09-11
CVE-2020-25249 [MEDIUM] CVE-2020-25249: An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and be
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client application specifies that logging is desired. This can be problematic for use cases in a regulated industry, where server-side logging is required i
nvd