VYPR

Vendor CVEs

Eyesofnetwork

All CVEs

35 total · sorted by risk
  • CVE-2017-14403CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the term parameter to module/admin_group/search.php.

  • CVE-2017-14402CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT CREATION" section, related to lack of input validation in include/function.php.

  • CVE-2017-14401CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT UPDATE" section.

  • CVE-2017-14252CriSep 11, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php.

  • CVE-2017-14247CriSep 11, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060.

  • CVE-2017-1000060CriJul 17, 2017
    risk 0.64cvss 9.8epss 0.03

    EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root

  • CVE-2017-6087HigMar 24, 2017
    risk 0.61cvss 8.8epss 0.07

    EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4)…

  • CVE-2017-14119HigSep 3, 2017
    risk 0.57cvss 8.8epss 0.02

    In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all\tools\snmpwalk.php does not properly restrict popen calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in a parameter.

  • CVE-2017-14118HigSep 3, 2017
    risk 0.57cvss 8.8epss 0.02

    In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all\tools\interface.php does not properly restrict exec calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in the host_list parameter to module/tool_all/select_tool.php.

  • CVE-2017-6088HigApr 11, 2017
    risk 0.50cvss 7.2epss 0.06

    Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter to module/monitoring_ged/ged_functions.php or the (5)…

  • CVE-2017-14404HigSep 13, 2017
    risk 0.49cvss 7.5epss 0.02

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file inclusion via the tool_list parameter (aka the url_tool variable) to module/tool_all/select_tool.php, as demonstrated by a tool_list=php://filter/ substring.

  • CVE-2017-13780HigAug 30, 2017
    risk 0.49cvss 7.5epss 0.02

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows directory traversal attacks for reading arbitrary files via the module/admin_conf/download.php file parameter.

  • CVE-2017-16000HigOct 29, 2017
    risk 0.47cvss 7.2epss 0.02

    SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php.

  • CVE-2017-15933HigOct 27, 2017
    risk 0.47cvss 7.2epss 0.02

    SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the host parameter to module/capacity_per_device/index.php.

  • CVE-2017-15880HigOct 24, 2017
    risk 0.47cvss 7.2epss 0.02

    SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the group_name parameter to module/admin_group/add_modify_group.php (for insert_group and…

  • CVE-2017-14405HigSep 13, 2017
    risk 0.47cvss 7.2epss 0.04

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote command execution via shell metacharacters in a hosts_cacti array parameter to module/admin_device/index.php.

  • CVE-2017-14985MedOct 3, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the url parameter to module/module_frame/index.php.

  • CVE-2017-14984MedOct 3, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the bp_name parameter to /module/admin_bp/add_services.php.

  • CVE-2017-14753MedSep 27, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the filter parameter to module/module_filters/index.php.

  • CVE-2017-15188MedOct 11, 2017
    risk 0.31cvss 4.8epss 0.01

    A persistent (stored) XSS vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the hosts array parameter to module/admin_device/index.php.

  • CVE-2017-14983MedOct 3, 2017
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php.

  • CVE-2020-8655KEVFeb 6, 2020
    risk 0.22cvss epss 0.58

    An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.

  • CVE-2020-8657KEVFeb 6, 2020
    risk 0.22cvss epss 0.92

    An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.

  • CVE-2020-8656Feb 6, 2020
    risk 0.10cvss epss 0.85

    An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.

  • CVE-2021-27514Feb 21, 2021
    risk 0.01cvss epss 0.04

    EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).

  • CVE-2019-14923Aug 16, 2019
    risk 0.01cvss epss 0.04

    EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.

  • CVE-2022-41572Jan 7, 2025
    risk 0.00cvss epss 0.01

    An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Privilege escalation can be accomplished on the server because nmap can be run as root. The attacker achieves total control over the server.

  • CVE-2022-41434Nov 8, 2022
    risk 0.00cvss epss 0.00

    EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php.

  • CVE-2022-41571Sep 27, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Local file inclusion can occur.

  • CVE-2022-41570Sep 27, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Unauthenticated SQL injection can occur.

  • CVE-2022-38357Aug 15, 2022
    risk 0.00cvss epss 0.01

    Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php.

  • CVE-2022-38358Aug 15, 2022
    risk 0.00cvss epss 0.01

    Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and…

  • CVE-2021-40643Jun 30, 2022
    risk 0.00cvss epss 0.03

    EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerability on the mail options configuration page. In the location of the "sendmail" application in the "cacti" configuration page (by default/usr/sbin/sendmail) it is possible to execute any command, which will be…

  • CVE-2022-24612Feb 25, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS.

  • CVE-2020-27887Oct 29, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php.