Vulnerabilities > Sapphireims
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-11 | CVE-2017-16629 | Information Exposure Through an Error Message vulnerability in Sapphireims 40971 In SapphireIMS 4097_1, it is possible to guess the registered/active usernames of the software from the errors it gives out for each type of user on the Login form. | 5.0 |
| 2021-08-11 | CVE-2017-16630 | Incorrect Permission Assignment for Critical Resource vulnerability in Sapphireims 40971 In SapphireIMS 4097_1, a guest user can create a local administrator account on any system that has SapphireIMS installed, because of an Insecure Direct Object Reference (IDOR) in the local user creation function. | 6.5 |
| 2021-08-11 | CVE-2017-16631 | Incorrect Permission Assignment for Critical Resource vulnerability in Sapphireims 40971 In SapphireIMS 4097_1, a guest user is able to change the password of an administrative user by utilizing an Insecure Direct Object Reference (IDOR) in the "Account Password Reset" functionality. | 4.0 |
| 2021-08-11 | CVE-2017-16632 | Inadequate Encryption Strength vulnerability in Sapphireims 40971 In SapphireIMS 4097_1, the password in the database is stored in Base64 format. | 5.0 |
| 2021-08-11 | CVE-2020-25560 | OS Command Injection vulnerability in Sapphireims 5.0 In SapphireIMS 5.0, it is possible to use the hardcoded credential in clients (username: sapphire, password: ims) and gain access to the portal. | 7.5 |
| 2021-08-11 | CVE-2020-25561 | Use of Hard-coded Credentials vulnerability in Sapphireims 5.0 SapphireIMS 5 utilized default sapphire:ims credentials to connect the client to server. | 4.6 |
| 2021-08-11 | CVE-2020-25562 | Cross-Site Request Forgery (CSRF) vulnerability in Sapphireims 5.0 In SapphireIMS 5.0, there is no CSRF token present in the entire application. | 4.3 |
| 2021-08-11 | CVE-2020-25563 | Missing Authentication for Critical Function vulnerability in Sapphireims 5.0 In SapphireIMS 5.0, it is possible to create local administrator on any client without requiring any credentials by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature and not having a JSESSIONID. | 7.5 |
| 2021-08-11 | CVE-2020-25564 | Incorrect Authorization vulnerability in Sapphireims 5.0 In SapphireIMS 5.0, it is possible to create local administrator on any client with credentials of a non-privileged user by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature. | 6.5 |
| 2021-08-11 | CVE-2020-25565 | Use of Hard-coded Credentials vulnerability in Sapphireims 5.0 In SapphireIMS 5.0, it is possible to use the hardcoded credential in clients (username: sapphire, password: ims) and gain access to the portal. | 7.5 |