cbcvebase.

Planetestream Planet Estream vulnerabilities

8 known vulnerabilities affecting planetestream/planet_estream.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2022-45896P2CRITICALCVSS 9.8fixed in 6.72.10.072022-12-25
CVE-2022-45896 [CRITICAL] CWE-434 CVE-2022-45896: Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.
nvd
CVE-2022-45893P3HIGHCVSS 8.8fixed in 6.72.10.072022-12-25
CVE-2022-45893 [HIGH] CWE-307 CVE-2022-45893: Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and h Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and high-privileged user accounts by changing the value of the ON cookie. A brute-force attack can calculate a value that provides permanent access.
nvd
CVE-2022-45891P3CRITICALCVSS 9.1fixed in 6.72.10.072022-12-25
CVE-2022-45891 [CRITICAL] CWE-863 CVE-2022-45891: Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthen Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList).
nvd
CVE-2022-45889P3HIGHCVSS 7.2fixed in 6.72.10.072022-12-25
CVE-2022-45889 [HIGH] CWE-89 CVE-2022-45889: Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain ac Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter).
nvd
CVE-2022-45894P3MEDIUMCVSS 6.5fixed in 6.72.10.072022-12-25
CVE-2022-45894 [MEDIUM] CWE-22 CVE-2022-45894: GetFile.aspx in Planet eStream before 6.72.10.07 allows ..\ directory traversal to read arbitrary lo GetFile.aspx in Planet eStream before 6.72.10.07 allows ..\ directory traversal to read arbitrary local files.
nvd
CVE-2022-45895P4MEDIUMCVSS 6.5fixed in 6.72.10.072022-12-25
CVE-2022-45895 [MEDIUM] CWE-668 CVE-2022-45895: Planet eStream before 6.72.10.07 discloses sensitive information, related to the ON cookie (findable Planet eStream before 6.72.10.07 discloses sensitive information, related to the ON cookie (findable in HTML source code for Default.aspx in some situations) and the WhoAmI endpoint (e.g., path disclosure).
nvd
CVE-2022-45890P4MEDIUMCVSS 6.1fixed in 6.72.10.072022-12-25
CVE-2022-45890 [MEDIUM] CWE-79 CVE-2022-45890: In Planet eStream before 6.72.10.07, a Reflected Cross-Site Scripting (XSS) vulnerability exists via In Planet eStream before 6.72.10.07, a Reflected Cross-Site Scripting (XSS) vulnerability exists via any metadata filter field (e.g., search within Default.aspx with the r or fo parameter).
nvd
CVE-2022-45892P4MEDIUMCVSS 5.4fixed in 6.72.10.072022-12-25
CVE-2022-45892 [MEDIUM] CWE-79 CVE-2022-45892: In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exis In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.
nvd
Planetestream Planet Estream vulnerabilities | cvebase