cbcvebase.

Stonefly Storage Concentrator vulnerabilities

6 known vulnerabilities affecting stonefly/storage_concentrator.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-56413P2CRITICALCVSS 10.0fixed in 8.0.4.292026-06-30
CVE-2026-56413 [CRITICAL] CWE-78 CVE-2026-56413: Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl ser Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate san
nvd
CVE-2026-56415P2CRITICALCVSS 10.0fixed in 8.0.4.222026-06-30
CVE-2026-56415 [CRITICAL] CWE-78 CVE-2026-56415: Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl scri Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level
nvd
CVE-2026-55721P3CRITICALCVSS 9.3fixed in 8.0.4.222026-06-30
CVE-2026-55721 [CRITICAL] CWE-89 CVE-2026-55721: Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by t Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underl
nvd
CVE-2026-50110P3CRITICALCVSS 9.2fixed in 8.0.4.262026-06-30
CVE-2026-50110 [CRITICAL] CWE-798 CVE-2026-50110: Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embed Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication s
nvd
CVE-2024-31947P3MEDIUMCVSS 6.5fixed in 8.0.4.262024-07-12
CVE-2024-31947 [MEDIUM] CWE-22 CVE-2024-31947: StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows Directory Traversal by authentica StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows Directory Traversal by authenticated users. Using a crafted path parameter with the Online Help facility can expose sensitive system information.
nvd
CVE-2026-50040P4MEDIUMCVSS 6.1fixed in 8.0.4.222026-06-30
CVE-2026-50040 [MEDIUM] CWE-79 CVE-2026-50040: Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting due to unsanitized Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute within the victim's browser session in the context of the application. This could
nvd
Stonefly Storage Concentrator vulnerabilities | cvebase