VYPR

SmartClient

by SmartClient

CVEs (4)

  • CVE-2020-9352CriFeb 23, 2020
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter. NOTE: the documentation states…

  • CVE-2020-9354HigFeb 23, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an…

  • CVE-2020-9353HigFeb 23, 2020
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal…

  • CVE-2020-9351MedFeb 23, 2020
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the…