Flexair

flexair

Vendor: Primasystems • 10 CVEs

CVEs (10)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-7670 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.Show less
CVE-2019-7669 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. Improper validation of file extensions when uploading files could allow a remote authenticated attacker to upload and execute malicious applications within the applicatio...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. Improper validation of file extensions when uploading files could allow a remote authenticated attacker to upload and execute malicious applications within the application’s web root with root privileges.Show less
CVE-2019-7668 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 Prima Systems FlexAir devices have Default Credentials.
CVE-2019-7667 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 9.8 CRITICAL· v3 6.4 MEDIUM· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force to identify the database backup file name. A malicious actor...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force to identify the database backup file name. A malicious actor can exploit this issue to download the database file and disclose login information, which can allow the attacker to bypass authentication and have full access to the system.Show less
CVE-2019-7666 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an attacker with access to the database to login as admin without...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an attacker with access to the database to login as admin without decrypting the password.Show less
CVE-2019-7281 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visi...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website.Show less
CVE-2019-7280 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication.
CVE-2019-7672 1Primasystems 1Flexair Nov 21, 2024 Jun 5, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.
CVE-2019-7671 1Primasystems 1Flexair Nov 21, 2024 Jun 5, 2019 N/A· v4 9.0 CRITICAL· v3 3.5 LOW· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.Show less
CVE-2019-9189 1Primasystems 1Flexair Nov 21, 2024 Jun 5, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root c...Show more Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.Show less