StoneFly
Products
1- 7 CVEs
Recent CVEs
7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-56413 | cri | 0.65 | 10.0 | — | Jun 30, 2026 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted… | ||
| CVE-2026-56415 | cri | 0.65 | 10.0 | — | Jun 30, 2026 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input… | ||
| CVE-2026-55721 | cri | 0.60 | 9.3 | — | Jun 30, 2026 | Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to… | ||
| CVE-2026-50110 | cri | 0.60 | 9.2 | — | Jun 30, 2026 | Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of… | ||
| CVE-2024-30213 | Hig | 0.58 | 8.8 | 0.01 | Jul 12, 2024 | StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows remote authenticated users to achieve Command Injection via a Ping URL, leading to remote code execution. | ||
| CVE-2026-50040 | med | 0.40 | 6.1 | — | Jun 30, 2026 | Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting (XSS) due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute… | ||
| CVE-2024-31947 | 0.00 | — | 0.01 | Jul 12, 2024 | StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows Directory Traversal by authenticated users. Using a crafted path parameter with the Online Help facility can expose sensitive system information. |
- risk 0.65cvss 10.0epss —
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted…
- risk 0.65cvss 10.0epss —
Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input…
- risk 0.60cvss 9.3epss —
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to…
- risk 0.60cvss 9.2epss —
Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of…
- risk 0.58cvss 8.8epss 0.01
StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows remote authenticated users to achieve Command Injection via a Ping URL, leading to remote code execution.
- risk 0.40cvss 6.1epss —
Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting (XSS) due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute…
- CVE-2024-31947Jul 12, 2024risk 0.00cvss —epss 0.01
StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows Directory Traversal by authenticated users. Using a crafted path parameter with the Online Help facility can expose sensitive system information.