Vulnerabilities > Zenoss > Zenoss Core > 5.0.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-12-15 | CVE-2014-9385 | Cross-Site Request Forgery (CSRF) vulnerability in Zenoss Core Cross-site request forgery (CSRF) vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger arbitrary code execution via a ZenPack upload, aka ZEN-15388. | 6.8 |
| 2014-12-15 | CVE-2014-9252 | Information Exposure vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416. | 2.1 |
| 2014-12-15 | CVE-2014-9251 | Credentials Management vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 uses a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack on hash values in the database, aka ZEN-15413. | 5.0 |
| 2014-12-15 | CVE-2014-9250 | Information Exposure vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418. | 5.0 |
| 2014-12-15 | CVE-2014-9248 | Credentials Management vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain access via a brute-force attack, aka ZEN-15406. | 5.0 |
| 2014-12-15 | CVE-2014-9247 | Information Exposure vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389. | 4.0 |
| 2014-12-15 | CVE-2014-9245 | Information Exposure vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382. | 5.0 |
| 2014-12-15 | CVE-2014-6261 | Code Injection vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to execute arbitrary code by (1) spoofing the callhome server or (2) deploying a crafted web site that is visited during a login session, aka ZEN-12657. | 9.3 |
| 2014-12-15 | CVE-2014-6260 | Command Injection vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote attackers to execute arbitrary commands or cause a denial of service (paging outage) by leveraging an unattended workstation, aka ZEN-15412. | 6.8 |
| 2014-12-15 | CVE-2014-6259 | Resource Management Errors vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to CVE-2003-1564. | 5.0 |