VYPR
Vendor

Archibus

Products
2
CVEs
10
Across products
10
Status
Private

Products

2

Recent CVEs

10
  • CVE-2022-28862CriMay 25, 2022
    risk 0.64cvss 9.8epss 0.01

    In Archibus Web Central before 26.2, multiple SQL Injection vulnerabilities occur in dwr/call/plaincall/workflow.runWorkflowRule.dwr. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected)…

  • CVE-2021-41553CriOct 5, 2021
    risk 0.64cvss 9.8epss 0.01

    In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without…

  • CVE-2021-41554HigOct 5, 2021
    risk 0.57cvss 8.8epss 0.01

    ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.ax…

  • CVE-2023-48645HigFeb 2, 2024
    risk 0.51cvss 7.8epss 0.00

    An issue was discovered in the Archibus app 4.0.3 for iOS. It uses a local database that is synchronized with a Web central server instance every time the application is opened, or when the refresh button is used. There is a SQL injection in the search work request feature in…

  • CVE-2022-45166MedJan 10, 2023
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a set of user-controlled parameters that are used to act on the data returned to the user. It allows a basic user to access data unrelated to their role.

  • CVE-2022-45165MedJan 10, 2023
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It causes this service to be prone to SQL injection.

  • CVE-2023-48644MedMar 5, 2024
    risk 0.40cvss 6.1epss 0.00

    An issue was discovered in the Archibus app 4.0.3 for iOS. There is an XSS vulnerability in the create work request feature of the maintenance module, via the description field. This allows an attacker to perform an action on behalf of the user, exfiltrate data, and so on.

  • CVE-2021-41555MedOct 5, 2021
    risk 0.40cvss 6.1epss 0.01

    In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. In…

  • CVE-2022-45167MedJan 10, 2023
    risk 0.28cvss 4.3epss 0.00

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users.

  • CVE-2022-45164MedJan 10, 2023
    risk 0.28cvss 4.3epss 0.00

    An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to cancel (delete) a booking, created by someone else - even if this basic user is not a member of the booking

VYPR — Vulnerability Intelligence