VYPR

eStream

by Planet

CVEs (5)

  • CVE-2022-45893Dec 25, 2022
    risk 0.00cvss epss 0.01

    Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and high-privileged user accounts by changing the value of the ON cookie. A brute-force attack can calculate a value that provides permanent access.

  • CVE-2022-45896Dec 25, 2022
    risk 0.00cvss epss 0.01

    Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.

  • CVE-2022-45892Dec 25, 2022
    risk 0.00cvss epss 0.00

    In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.

  • CVE-2022-45891Dec 25, 2022
    risk 0.00cvss epss 0.01

    Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList).

  • CVE-2022-45889Dec 25, 2022
    risk 0.00cvss epss 0.01

    Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter).