VYPR

Eonweb

by Eonweb Project

Source repositories

CVEs (9)

  • CVE-2017-6087HigMar 24, 2017
    risk 0.61cvss 8.8epss 0.07

    EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4)…

  • CVE-2020-9465Feb 28, 2020
    risk 0.10cvss epss 0.82

    An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie.

  • CVE-2020-8654Feb 6, 2020
    risk 0.10cvss epss 0.86

    An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field.

  • CVE-2021-27513Feb 21, 2021
    risk 0.04cvss epss 0.28

    The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."

  • CVE-2021-33525May 24, 2021
    risk 0.01cvss epss 0.08

    EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.

  • CVE-2022-41570Sep 27, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Unauthenticated SQL injection can occur.

  • CVE-2022-24612Feb 25, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS.

  • CVE-2020-27886Oct 29, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php).

  • CVE-2020-24390Aug 27, 2020
    risk 0.00cvss epss 0.01

    eonweb in EyesOfNetwork before 5.3-7 does not properly escape the username on the /module/admin_logs page, which might allow pre-authentication stored XSS during login/logout logs recording.