Nedi

nedi

Vendor: Nedi • 26 CVEs

CVEs (26)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-40895 1Nedi 1Nedi Nov 21, 2024 Oct 6, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulner...Show more In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=.Show less
CVE-2021-26753 1Nedi 1Nedi Nov 21, 2024 Feb 12, 2021 N/A· v4 9.9 CRITICAL· v3 6.5 MEDIUM· v2 NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system w...Show more NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.Show less
CVE-2021-26752 1Nedi 1Nedi Nov 21, 2024 Feb 12, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access t...Show more NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.Show less
CVE-2021-26751 1Nedi 1Nedi Nov 21, 2024 Feb 12, 2021 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data...Show more NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application.Show less
CVE-2020-23989 1Nedi 1Nedi Nov 21, 2024 Nov 2, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C allows pwsec.php oid XSS.
CVE-2020-23868 1Nedi 1Nedi Nov 21, 2024 Nov 2, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C allows inc/rt-popup.php d XSS.
CVE-2020-15035 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Map.php hde parameter.
CVE-2020-15034 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Setup.php tet parameter.
CVE-2020-15033 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the snmpget.php ip parameter.
CVE-2020-15032 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Incidents.php id parameter.
CVE-2020-15031 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php chg parameter.
CVE-2020-15030 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Routes.php rtr parameter.
CVE-2020-15029 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter.
CVE-2020-15028 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.
CVE-2020-15037 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2020-15036 1Nedi 1Nedi Nov 21, 2024 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-14414 1Nedi 1Nedi Nov 21, 2024 Jun 29, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contain...Show more NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)Show less
CVE-2020-14413 1Nedi 1Nedi Nov 21, 2024 Jun 29, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demons...Show more NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.Show less
CVE-2020-14412 1Nedi 1Nedi Nov 21, 2024 Jun 29, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) th...Show more NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter. (This can also be exploited via CSRF.)Show less
CVE-2020-15017 1Nedi 1Nedi Nov 21, 2024 Jun 26, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices-Config.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the sta GET parameter...Show more NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices-Config.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the sta GET parameter.Show less

12 Next