RSS   Vulnerabilities for 'Onbase'   RSS

2022-06-21
 
CVE-2022-23342

NVD-CWE-noinfo
 

 
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.

 
2020-09-11
 
CVE-2020-25260

CWE-502
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.

 
 
CVE-2020-25259

CWE-502
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. It uses XML deserialization libraries in an unsafe manner.

 
 
CVE-2020-25258

CWE-502
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.

 
 
CVE-2020-25257

CWE-611
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. It allows XXE attacks for read/write access to arbitrary files.

 
 
CVE-2020-25256

CWE-798
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. PKI certificates have a private key that is the same across different customers' installations.

 
 
CVE-2020-25255

NVD-CWE-noinfo
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.

 
 
CVE-2020-25254

CWE-89
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.

 
 
CVE-2020-25253

CWE-89
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId, or Password parameter.

 
 
CVE-2020-25252

CWE-352
 

 
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).

 


Copyright 2024, cxsecurity.com

 

Back to Top