VYPR

Web Central

by Archibus

CVEs (8)

  • CVE-2022-28862CriMay 25, 2022
    risk 0.64cvss 9.8epss 0.01

    In Archibus Web Central before 26.2, multiple SQL Injection vulnerabilities occur in dwr/call/plaincall/workflow.runWorkflowRule.dwr. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected)…

  • CVE-2021-41553CriOct 5, 2021
    risk 0.64cvss 9.8epss 0.01

    In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without…

  • CVE-2021-41554HigOct 5, 2021
    risk 0.57cvss 8.8epss 0.01

    ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.ax…

  • CVE-2022-45166MedJan 10, 2023
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a set of user-controlled parameters that are used to act on the data returned to the user. It allows a basic user to access data unrelated to their role.

  • CVE-2022-45165MedJan 10, 2023
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It causes this service to be prone to SQL injection.

  • CVE-2021-41555MedOct 5, 2021
    risk 0.40cvss 6.1epss 0.01

    In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. In…

  • CVE-2022-45167MedJan 10, 2023
    risk 0.28cvss 4.3epss 0.00

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users.

  • CVE-2022-45164MedJan 10, 2023
    risk 0.28cvss 4.3epss 0.00

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to cancel (delete) a booking, created by someone else - even if this basic user is not a member of the booking