Skip to main content

Zenoss Core CVE-2014-6254

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2014-12-15 cve@mitre.org
4.3
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:N/I:P/A:N
Attack Vector
Network
Attack Complexity
M
Confidentiality
None
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 15, 2014 - 18:59 cve.org
MEDIUM 4.3

DescriptionCVE.org

Multiple cross-site scripting (XSS) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to inject arbitrary web script or HTML via an attribute in a (1) device name, (2) device detail, (3) report name, (4) report detail, or (5) portlet name, or (6) a string to a helper method, aka ZEN-15381 and ZEN-15410.

AnalysisAI

Multiple cross-site scripting (XSS) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to inject arbitrary web script or HTML via an attribute in a (1) device name, (2) device. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Multiple cross-site scripting (XSS) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to inject arbitrary web script or HTML via an attribute in a (1) device name, (2) device detail, (3) report name, (4) report detail, or (5) portlet name, or (6) a string to a helper method, aka ZEN-15381 and ZEN-15410. Affected products include: Zenoss Zenoss Core. Version information: through 5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2014-6261 CRITICAL
9.3 Dec 15

Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to

CVE-2014-9249 HIGH
7.5 Dec 15

The default configuration of Zenoss Core before 5 allows remote attackers to read or modify database information by conn

CVE-2014-6256 HIGH
7.5 Dec 15

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directo

CVE-2014-9385 MEDIUM
6.8 Dec 15

Cross-site request forgery (CSRF) vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the au

CVE-2014-9386 MEDIUM
6.8 Dec 15

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote att

CVE-2014-6260 MEDIUM
6.8 Dec 15

Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote att

CVE-2014-6253 MEDIUM
6.8 Dec 15

Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to hij

CVE-2014-6255 MEDIUM
6.4 Dec 15

Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect user

CVE-2014-6259 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers t

CVE-2014-6258 MEDIUM
5.0 Dec 15

An unspecified endpoint in Zenoss Core through 5 Beta 3 allows remote attackers to cause a denial of service (CPU consum

CVE-2014-9248 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain ac

CVE-2014-6257 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL

Share

CVE-2014-6254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy