Eyesofnetwork
CVEs (35)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14983 | Med | 0.31 | 4.8 | 0.01 | Oct 3, 2017 | Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php. | ||
| CVE-2020-8655 | 0.22 | — | 0.58 | KEV | Feb 6, 2020 | An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7. | ||
| CVE-2020-8657 | 0.22 | — | 0.92 | KEV | Feb 6, 2020 | An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. | ||
| CVE-2020-8656 | 0.10 | — | 0.85 | Feb 6, 2020 | An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php. | |||
| CVE-2021-27514 | 0.01 | — | 0.04 | Feb 21, 2021 | EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation). | |||
| CVE-2019-14923 | 0.01 | — | 0.04 | Aug 16, 2019 | EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. | |||
| CVE-2022-41572 | 0.00 | — | 0.01 | Jan 7, 2025 | An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Privilege escalation can be accomplished on the server because nmap can be run as root. The attacker achieves total control over the server. | |||
| CVE-2022-41434 | 0.00 | — | 0.00 | Nov 8, 2022 | EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php. | |||
| CVE-2022-41571 | 0.00 | — | 0.01 | Sep 27, 2022 | An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Local file inclusion can occur. | |||
| CVE-2022-41570 | 0.00 | — | 0.01 | Sep 27, 2022 | An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Unauthenticated SQL injection can occur. | |||
| CVE-2022-38357 | 0.00 | — | 0.01 | Aug 15, 2022 | Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php. | |||
| CVE-2022-38358 | 0.00 | — | 0.01 | Aug 15, 2022 | Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and… | |||
| CVE-2021-40643 | 0.00 | — | 0.03 | Jun 30, 2022 | EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerability on the mail options configuration page. In the location of the "sendmail" application in the "cacti" configuration page (by default/usr/sbin/sendmail) it is possible to execute any command, which will be… | |||
| CVE-2022-24612 | 0.00 | — | 0.01 | Feb 25, 2022 | An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. | |||
| CVE-2020-27887 | 0.00 | — | 0.02 | Oct 29, 2020 | An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php. |
- risk 0.31cvss 4.8epss 0.01
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php.
- risk 0.22cvss —epss 0.58
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
- risk 0.22cvss —epss 0.92
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
- CVE-2020-8656Feb 6, 2020risk 0.10cvss —epss 0.85
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
- CVE-2021-27514Feb 21, 2021risk 0.01cvss —epss 0.04
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).
- CVE-2019-14923Aug 16, 2019risk 0.01cvss —epss 0.04
EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.
- CVE-2022-41572Jan 7, 2025risk 0.00cvss —epss 0.01
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Privilege escalation can be accomplished on the server because nmap can be run as root. The attacker achieves total control over the server.
- CVE-2022-41434Nov 8, 2022risk 0.00cvss —epss 0.00
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php.
- CVE-2022-41571Sep 27, 2022risk 0.00cvss —epss 0.01
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Local file inclusion can occur.
- CVE-2022-41570Sep 27, 2022risk 0.00cvss —epss 0.01
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Unauthenticated SQL injection can occur.
- CVE-2022-38357Aug 15, 2022risk 0.00cvss —epss 0.01
Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php.
- CVE-2022-38358Aug 15, 2022risk 0.00cvss —epss 0.01
Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and…
- CVE-2021-40643Jun 30, 2022risk 0.00cvss —epss 0.03
EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerability on the mail options configuration page. In the location of the "sendmail" application in the "cacti" configuration page (by default/usr/sbin/sendmail) it is possible to execute any command, which will be…
- CVE-2022-24612Feb 25, 2022risk 0.00cvss —epss 0.01
An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS.
- CVE-2020-27887Oct 29, 2020risk 0.00cvss —epss 0.02
An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php.
Page 2 of 2