lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 Jul 2021 09:55:07 +0200
From: Dariusz G <dariusz.gonda@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Novus Managment System Vulnerabilities (CVE-2021-34820,
	CVE-2021-38421)

Hello,

Vulnerabilities mentioned below are fixed in the NMS with 1.51.2 version.
Vendor has already published the patches. Please visit
https://nms.aat.pl/en/ to download patches for the NMS software. I believe
that all NMS software with version below 1.51.2 is affected by Web Path
Traversal and Cross-Site Scripting vulnerabilities. However the vendor was
not able to provide a clear statement  about affected versions of NMS
software.

CVE-2021-34820  - Web Path Directory Traversal

Web Path Directory Traversal in the Novus HTTP Server. The Novus HTTP
Server is affected by the Directory Traversal for Arbitrary File Access
vulnerability. A remote, unauthenticated attacker using an HTTP GET request
may be able to exploit this issue to access sensitive data. The issue was
discovered in the NMS (Novus Management System) software.

Severity: Critical CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L (10)
Credit: Dariusz Gońda

CVE-2021-38421 Cross Site Scripting (Reflected)

The NMS before version 1.51.2, the WebUI has wrong HTTP 404 error handling
implemented. A remote, unauthenticated attacker may be able to exploit the
issue by sending malicious HTTP requests to non-existing URIs. The value of
the URL path filename is copied into the HTML document as plain text
tags.

Severity: Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)
Credit: Dariusz Gońda

Timeline:

10 April 2021 - bug discovered
12 April 2021 - vendor informed
13 April 2021 - vendor asked to provide more details about Web Directory
Path Traversal issue 20 April 2021 - vendor confirmed vulnerabilities
16 June 2021 - vendor provided the statement that a patch has been already
published
17 June 2021 – CVE numbers assigned
8 July 2021 - vulnerabilities published


Regards,
Dariusz Gońda

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists