VYPR
Vendor

Nedit

Products
1
CVEs
26
Across products
26
Status
Private

Products

1

Recent CVEs

26
View all 26 CVEs →
  • CVE-2021-26753CriFeb 12, 2021
    risk 0.64cvss 9.9epss 0.01

    NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.

  • CVE-2022-40895CriOct 6, 2022
    risk 0.59cvss 9.1epss 0.02

    In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in…

  • CVE-2018-20727HigJan 17, 2019
    risk 0.58cvss 8.8epss 0.06

    Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.

  • CVE-2021-26752HigFeb 12, 2021
    risk 0.57cvss 8.8epss 0.01

    NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all…

  • CVE-2021-26751HigFeb 12, 2021
    risk 0.57cvss 8.8epss 0.01

    NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application.

  • CVE-2020-14414HigJun 29, 2020
    risk 0.57cvss 8.8epss 0.04

    NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw…

  • CVE-2018-20728HigJan 17, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp3 allows remote attackers to escalate privileges via User-Management.php.

  • CVE-2018-20730HigJan 17, 2019
    risk 0.49cvss 7.5epss 0.01

    A SQL injection vulnerability in NeDi before 1.7Cp3 allows any user to execute arbitrary SQL read commands via the query.php component.

  • CVE-2020-14413MedJun 29, 2020
    risk 0.40cvss 6.1epss 0.03

    NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a…

  • CVE-2020-15017MedJun 26, 2020
    risk 0.40cvss 6.1epss 0.01

    NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices-Config.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the sta GET parameter.

  • CVE-2020-15016MedJun 26, 2020
    risk 0.40cvss 6.1epss 0.01

    NeDi 1.9C is vulnerable to reflected cross-site scripting. The Other-Converter.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the txt GET parameter.

  • CVE-2018-20731MedJan 17, 2019
    risk 0.40cvss 6.1epss 0.01

    A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via User-Chat.php.

  • CVE-2018-20729MedJan 17, 2019
    risk 0.40cvss 6.1epss 0.01

    A reflected cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via the reg parameter in mh.php.

  • CVE-2020-23989MedNov 2, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C allows pwsec.php oid XSS.

  • CVE-2020-23868MedNov 2, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C allows inc/rt-popup.php d XSS.

  • CVE-2020-15035MedJul 7, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Map.php hde parameter.

  • CVE-2020-15034MedJul 7, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Setup.php tet parameter.

  • CVE-2020-15033MedJul 7, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the snmpget.php ip parameter.

  • CVE-2020-15032MedJul 7, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Incidents.php id parameter.

  • CVE-2020-15031MedJul 7, 2020
    risk 0.35cvss 5.4epss 0.01

    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php chg parameter.