Source: ocsinventory-server Version: 2.4.1+dfsg-2 Severity: important Tags: security upstream
Hi, The following vulnerabilities were published for ocsinventory-server. CVE-2018-12482[0]: | OCS Inventory 2.4.1 contains multiple SQL injections in the search | engine. Authentication is needed in order to exploit the issues. CVE-2018-12483[1]: | OCS Inventory 2.4.1 is prone to a remote command-execution | vulnerability. Specifically, this issue occurs because the content of | the ipdiscover_analyser rzo GET parameter is concatenated to a string | used in an exec() call in the PHP code. Authentication is needed in | order to exploit this vulnerability. CVE-2018-14473[2]: | OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing | the use of external entities. This issue can be exploited by an | attacker sending a crafted HTTP request in order to exfiltrate | information or cause a Denial of Service. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-12482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12482 [1] https://security-tracker.debian.org/tracker/CVE-2018-12483 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12483 [2] https://security-tracker.debian.org/tracker/CVE-2018-14473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14473 [3] https://www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
