VYPR

Cmc

by Nozominetworks

CVEs (38)

  • CVE-2025-40892HigDec 18, 2025
    risk 0.58cvss 8.9epss 0.00

    A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially…

  • CVE-2025-40898HigDec 18, 2025
    risk 0.53cvss 8.1epss 0.00

    A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files…

  • CVE-2025-3718HigOct 7, 2025
    risk 0.51cvss 7.9epss 0.00

    A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a…

  • CVE-2024-13089HigJun 10, 2025
    risk 0.47cvss 7.2epss 0.01

    An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian…

  • CVE-2025-40904MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views…

  • CVE-2025-40893MedDec 18, 2025
    risk 0.40cvss 6.1epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the…

  • CVE-2025-40903MedMay 19, 2026
    risk 0.38cvss 5.9epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim…

  • CVE-2025-40902MedMay 19, 2026
    risk 0.38cvss 5.9epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete…

  • CVE-2025-40901MedMay 19, 2026
    risk 0.38cvss 5.9epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to…

  • CVE-2025-40891MedDec 18, 2025
    risk 0.31cvss 4.7epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset…

  • CVE-2025-40900MedMay 19, 2026
    risk 0.30cvss 4.6epss 0.00

    An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be…

  • CVE-2025-40894MedMar 4, 2026
    risk 0.29cvss 4.4epss 0.00

    A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is…

  • CVE-2025-1501MedAug 26, 2025
    risk 0.28cvss 4.3epss 0.00

    An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can…

  • CVE-2025-40895Mar 4, 2026
    risk 0.00cvss epss 0.00

    A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian's…

  • CVE-2025-40888Oct 7, 2025
    risk 0.00cvss epss 0.00

    A SQL Injection vulnerability was discovered in the CLI functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing…

  • CVE-2025-40889Oct 7, 2025
    risk 0.00cvss epss 0.00

    A path traversal vulnerability was discovered in the Time Machine functionality due to missing validation of two input parameters. An authenticated user with limited privileges, by issuing a specifically-crafted request, can potentially alter the structure and content of files…

  • CVE-2025-40887Oct 7, 2025
    risk 0.00cvss epss 0.00

    A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing…

  • CVE-2025-40886Oct 7, 2025
    risk 0.00cvss epss 0.00

    A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SQL statements on the DBMS used by the web application, potentially exposing unauthorized…

  • CVE-2025-40885Oct 7, 2025
    risk 0.00cvss epss 0.00

    A SQL Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially…

  • CVE-2025-3719Oct 7, 2025
    risk 0.00cvss epss 0.00

    An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrative CLI commands, altering the device…

Page 1 of 2