Vulnerabilities > Novell > Filr
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-08-01 | CVE-2016-1611 | Permissions, Privileges, and Access Controls vulnerability in Novell Filr 1.2/2.0 Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses world-writable permissions for /etc/profile.d/vainit.sh, which allows local users to gain privileges by replacing this file's content with arbitrary shell commands. | 7.8 |
| 2016-08-01 | CVE-2016-1610 | Path Traversal vulnerability in Novell Filr 1.2/2.0 Directory traversal vulnerability in the email-template feature in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote attackers to bypass intended access restrictions and write to arbitrary files via a .. | 7.5 |
| 2016-08-01 | CVE-2016-1609 | Cross-site Scripting vulnerability in Novell Filr 1.2/2.0 Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input, as demonstrated by a crafted attribute of an IMG element in the phone field of a user profile. | 5.4 |
| 2016-08-01 | CVE-2016-1608 | Improper Access Control vulnerability in Novell Filr 1.2/2.0 vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter. | 8.8 |
| 2016-08-01 | CVE-2016-1607 | Cross-Site Request Forgery (CSRF) vulnerability in Novell Filr 1.2/2.0 Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settings via a vaconfig/time request. | 7.2 |
| 2016-03-18 | CVE-2015-5968 | Cross-site Scripting vulnerability in Novell Filr 1.2 Cross-site scripting (XSS) vulnerability in Novell Filr 1.2 before Hot Patch 4 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 6.1 |