Remote Kiln Control
by Blaauw
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-18869 | Cri | 0.64 | 9.8 | 0.01 | May 7, 2020 | Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allows a user to execute arbitrary php code via /default.php?idx=17. | ||
| CVE-2019-18868 | Cri | 0.64 | 9.8 | 0.01 | May 7, 2020 | Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak. | ||
| CVE-2019-18871 | Hig | 0.57 | 8.8 | 0.03 | May 7, 2020 | A path traversal in debug.php accessed via default.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to upload arbitrary files, leading to arbitrary remote code execution. | ||
| CVE-2019-18872 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2020 | Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234). | ||
| CVE-2019-18866 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2020 | Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database. | ||
| CVE-2019-18864 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2020 | /server-info and /server-status in Blaauw Remote Kiln Control through v3.00r4 allow an unauthenticated attacker to gain sensitive information about the host machine. | ||
| CVE-2019-18867 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2020 | Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. This affects /ajax/, /common/, /engine/, /flash/, /images/, /Images/, /jscripts/, /lang/, /layout/, /programs/, and /sms/. | ||
| CVE-2019-18870 | Med | 0.42 | 6.5 | 0.01 | May 7, 2020 | A path traversal via the iniFile parameter in excel.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to download arbitrary files from the host machine. | ||
| CVE-2019-18865 | Med | 0.35 | 5.3 | 0.01 | May 7, 2020 | Information disclosure via error message discrepancies in authentication functions in Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to enumerate valid usernames. |
- risk 0.64cvss 9.8epss 0.01
Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allows a user to execute arbitrary php code via /default.php?idx=17.
- risk 0.64cvss 9.8epss 0.01
Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak.
- risk 0.57cvss 8.8epss 0.03
A path traversal in debug.php accessed via default.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to upload arbitrary files, leading to arbitrary remote code execution.
- risk 0.49cvss 7.5epss 0.01
Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234).
- risk 0.49cvss 7.5epss 0.01
Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database.
- risk 0.49cvss 7.5epss 0.01
/server-info and /server-status in Blaauw Remote Kiln Control through v3.00r4 allow an unauthenticated attacker to gain sensitive information about the host machine.
- risk 0.49cvss 7.5epss 0.01
Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. This affects /ajax/, /common/, /engine/, /flash/, /images/, /Images/, /jscripts/, /lang/, /layout/, /programs/, and /sms/.
- risk 0.42cvss 6.5epss 0.01
A path traversal via the iniFile parameter in excel.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to download arbitrary files from the host machine.
- risk 0.35cvss 5.3epss 0.01
Information disclosure via error message discrepancies in authentication functions in Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to enumerate valid usernames.