Cybelesoft

cybelesoft

13 CVEs • 4 products

Products (4)

Click to collapse

Toggle

Thinfinity Virtualui

thinfinity_virtualui

Thinfinity Workspace

thinfinity_workspace

Thinfinity Remote Desktop Workstation

thinfinity_remote_desktop_workstation

CVEs (13)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-40410 1Cybelesoft 1Thinfinity Workspace May 1, 2025 Nov 13, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain a hardcoded cryptographic key used for encryption.
CVE-2024-40408 1Cybelesoft 1Thinfinity Workspace May 1, 2025 Nov 13, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated...Show more Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated privileges.Show less
CVE-2024-40407 1Cybelesoft 1Thinfinity Workspace May 1, 2025 Nov 13, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A full path disclosure in Cybele Software Thinfinity Workspace before v7.0.2.113 allows attackers to obtain the root path of the application via unspecified vectors.
CVE-2024-40405 1Cybelesoft 1Thinfinity Workspace May 1, 2025 Nov 13, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request.
CVE-2024-40404 1Cybelesoft 1Thinfinity Workspace May 1, 2025 Nov 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established.
CVE-2022-25227 1Cybelesoft 1Thinfinity Vnc Nov 21, 2024 May 20, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be us...Show more Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.Show less
CVE-2021-46354 1Cybelesoft 1Thinfinity Virtualui Nov 21, 2024 Feb 9, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can all...Show more Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.Show less
CVE-2021-44554 1Cybelesoft 1Thinfinity Virtualui Nov 21, 2024 Dec 20, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks t...Show more Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.Show less
CVE-2021-45092 1Cybelesoft 1Thinfinity Virtualui Nov 21, 2024 Dec 16, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
CVE-2021-44848 1Cybelesoft 1Thinfinity Virtualui Nov 21, 2024 Dec 13, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.
CVE-2019-16385 1Cybelesoft 1Thinfinity Virtualui Nov 21, 2024 Jun 4, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application...Show more Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed.Show less
CVE-2019-16384 1Cybelesoft 1Thinfinity Virtualui Nov 21, 2024 Jun 4, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Cybele Thinfinity VirtualUI 2.5.17.2 allows ../ path traversal that can be used for data exfiltration. This enables files outside of the web directory to be retrieved if the exact location is known and the user has permi...Show more Cybele Thinfinity VirtualUI 2.5.17.2 allows ../ path traversal that can be used for data exfiltration. This enables files outside of the web directory to be retrieved if the exact location is known and the user has permissions.Show less
CVE-2015-1429 1Cybelesoft 1Thinfinity Remote Desktop Workstation May 13, 2026 Oct 6, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Directory traversal vulnerability in Cybele Software Thinfinity Remote Desktop Workstation 3.0.0.3 32-bit and 64-bit allows remote attackers to download arbitrary files via a .. (dot dot) in an unspecified parameter.