Vulnerabilities > Spiceworks

DATE CVE VULNERABILITY TITLE RISK
2023-11-09 CVE-2021-43609 SQL Injection vulnerability in Spiceworks Help Desk Server
An issue was discovered in Spiceworks Help Desk Server before 1.3.3.
network
low complexity
spiceworks CWE-89
8.8
2020-12-18 CVE-2020-25901 Open Redirect vulnerability in Spiceworks 7.5.7.0
Host Header Injection in Spiceworks 7.5.7.0 allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
5.8
2020-09-15 CVE-2020-23451 Cross-Site Request Forgery (CSRF) vulnerability in Spiceworks
Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function.
6.8
2020-09-01 CVE-2020-23450 Cross-site Scripting vulnerability in Spiceworks
Spiceworks Version <= 7.5.00107 is affected by XSS.
network
spiceworks CWE-79
3.5
2017-04-10 CVE-2015-6021 Cross-site Scripting vulnerability in Spiceworks Desktop
Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response.
network
spiceworks CWE-79
4.3
2017-04-06 CVE-2017-7237 Unspecified vulnerability in Spiceworks 7.5
The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file.
network
low complexity
spiceworks
7.5
2014-09-17 CVE-2012-6658 Cross-Site Scripting vulnerability in Spiceworks 5.3.75941
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf.
network
spiceworks CWE-79
4.3
2014-09-17 CVE-2012-2956 SQL Injection vulnerability in Spiceworks 5.3.75941
SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json.
network
low complexity
spiceworks CWE-89
6.5
2014-09-11 CVE-2014-3740 Cross-Site Scripting vulnerability in Spiceworks 7.2.00174/7.2.00189
Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.
network
spiceworks CWE-79
3.5