VYPR

RLM

by Reprise Software

CVEs (6)

  • CVE-2021-44152CriDec 13, 2021
    risk 0.68cvss 9.8epss 0.59

    An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby…

  • CVE-2021-44151HigDec 13, 2021
    risk 0.49cvss 7.5epss 0.03

    An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the…

  • CVE-2021-44154HigDec 13, 2021
    risk 0.47cvss 7.2epss 0.02

    An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.

  • CVE-2021-44153HigDec 13, 2021
    risk 0.47cvss 7.2epss 0.02

    An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious…

  • CVE-2022-30519MedDec 29, 2022
    risk 0.43cvss 6.1epss 0.03

    XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.

  • CVE-2021-44155MedDec 13, 2021
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.