Vulnerabilites related to reprisesoftware - reprise_license_manager
cve-2022-28363
Vulnerability from cvelistv5
Published
2022-04-09 16:26
Modified
2024-08-03 05:56
Severity ?
EPSS score ?
Summary
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process username parameter via GET. No authentication is required.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T05:56:15.115Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process username parameter via GET. No authentication is required.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-13T15:41:06", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { tags: [ "x_refsource_MISC", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-28363", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process username parameter via GET. No authentication is required.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.reprisesoftware.com/products/software-license-management.php", refsource: "MISC", url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { name: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { name: "https://seclists.org/fulldisclosure/2022/Apr/1", refsource: "MISC", url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-28363", datePublished: "2022-04-09T16:26:45", dateReserved: "2022-04-03T00:00:00", dateUpdated: "2024-08-03T05:56:15.115Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-44151
Vulnerability from cvelistv5
Published
2021-12-13 00:00
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:23.597Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/165191/Reprise-License-Manager-14.2-Session-Hijacking.html", }, { tags: [ "x_transferred", ], url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-20T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { url: "http://packetstormsecurity.com/files/165191/Reprise-License-Manager-14.2-Session-Hijacking.html", }, { url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-44151", datePublished: "2021-12-13T00:00:00", dateReserved: "2021-11-22T00:00:00", dateUpdated: "2024-08-04T04:17:23.597Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-30519
Vulnerability from cvelistv5
Published
2022-12-29 00:00
Modified
2025-04-11 22:48
Severity ?
EPSS score ?
Summary
XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T06:48:36.440Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/earth2sky/Disclosed/blob/main/CVE-2022-30519", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/171627/Reprise-Software-RLM-14.2BL4-Cross-Site-Scripting.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2022-30519", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-11T22:47:40.937060Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-11T22:48:21.272Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/earth2sky/Disclosed/blob/main/CVE-2022-30519", }, { url: "http://packetstormsecurity.com/files/171627/Reprise-Software-RLM-14.2BL4-Cross-Site-Scripting.html", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-30519", datePublished: "2022-12-29T00:00:00.000Z", dateReserved: "2022-05-09T00:00:00.000Z", dateUpdated: "2025-04-11T22:48:21.272Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-5716
Vulnerability from cvelistv5
Published
2018-02-21 15:00
Modified
2024-08-05 05:40
Severity ?
EPSS score ?
Summary
An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File System of the Server. By specifying a pathname in the POST parameter "lf" to the goform/edit_lf_get_data URI, the attacker can retrieve the content of a file.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T05:40:51.356Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-02-16T00:00:00", descriptions: [ { lang: "en", value: "An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File System of the Server. By specifying a pathname in the POST parameter \"lf\" to the goform/edit_lf_get_data URI, the attacker can retrieve the content of a file.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-21T14:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-5716", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File System of the Server. By specifying a pathname in the POST parameter \"lf\" to the goform/edit_lf_get_data URI, the attacker can retrieve the content of a file.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html", refsource: "MISC", url: "http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-5716", datePublished: "2018-02-21T15:00:00", dateReserved: "2018-01-16T00:00:00", dateUpdated: "2024-08-05T05:40:51.356Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-37498
Vulnerability from cvelistv5
Published
2023-01-20 00:00
Modified
2025-04-03 12:59
Severity ?
EPSS score ?
Summary
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:22:59.366Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "http://reprise.com", }, { tags: [ "x_transferred", ], url: "http://reprisesoftware.com", }, { tags: [ "x_transferred", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2021-37498", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-02T20:00:36.307177Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-918", description: "CWE-918 Server-Side Request Forgery (SSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-03T12:59:10.946Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-20T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "http://reprise.com", }, { url: "http://reprisesoftware.com", }, { url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-37498", datePublished: "2023-01-20T00:00:00.000Z", dateReserved: "2021-07-26T00:00:00.000Z", dateUpdated: "2025-04-03T12:59:10.946Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-37499
Vulnerability from cvelistv5
Published
2023-01-20 00:00
Modified
2025-04-03 17:41
Severity ?
EPSS score ?
Summary
CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:23:01.363Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "http://reprise.com", }, { tags: [ "x_transferred", ], url: "http://reprisesoftware.com", }, { tags: [ "x_transferred", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2021-37499", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-03T17:40:28.132609Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-74", description: "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-03T17:41:06.400Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-20T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "http://reprise.com", }, { url: "http://reprisesoftware.com", }, { url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-37499", datePublished: "2023-01-20T00:00:00.000Z", dateReserved: "2021-07-26T00:00:00.000Z", dateUpdated: "2025-04-03T17:41:06.400Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-45422
Vulnerability from cvelistv5
Published
2022-01-13 18:15
Modified
2025-03-19 19:50
Severity ?
EPSS score ?
Summary
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:39:20.677Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://reprise.com", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://seclists.org/fulldisclosure/2022/Jan/31", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process \"count\" parameter via GET. No authentication is required.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-19T19:50:53.230Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "http://reprise.com", }, { url: "https://seclists.org/fulldisclosure/2022/Jan/31", }, { url: "https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/", }, { url: "https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2021-45422/RLM%2014.2%20Cross%20Site%20Scripting.txt", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-45422", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process \"count\" parameter via GET. No authentication is required.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://reprise.com", refsource: "MISC", url: "http://reprise.com", }, { name: "https://seclists.org/fulldisclosure/2022/Jan/31", refsource: "MISC", url: "https://seclists.org/fulldisclosure/2022/Jan/31", }, { name: "https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/", refsource: "MISC", url: "https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-45422", datePublished: "2022-01-13T18:15:03.000Z", dateReserved: "2021-12-20T00:00:00.000Z", dateUpdated: "2025-03-19T19:50:53.230Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-15574
Vulnerability from cvelistv5
Published
2018-08-20 02:00
Modified
2024-11-14 20:35
Severity ?
EPSS score ?
Summary
An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T10:01:54.297Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { tags: [ "x_transferred", ], url: "https://reprisesoftware.com/docs/whats-new.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-15574", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-24T15:40:44.164987Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-14T20:35:19.997Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated \"We do not consider this a vulnerability.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-29T18:09:58.099331", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { url: "https://reprisesoftware.com/docs/whats-new.html", }, ], tags: [ "disputed", ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-15574", datePublished: "2018-08-20T02:00:00", dateReserved: "2018-08-19T00:00:00", dateUpdated: "2024-11-14T20:35:19.997Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-37500
Vulnerability from cvelistv5
Published
2023-01-20 00:00
Modified
2025-04-03 16:02
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:22:59.363Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "http://reprise.com", }, { tags: [ "x_transferred", ], url: "http://reprisesoftware.com", }, { tags: [ "x_transferred", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2021-37500", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-03T16:01:55.042803Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-03T16:02:57.996Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-20T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "http://reprise.com", }, { url: "http://reprisesoftware.com", }, { url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-37500", datePublished: "2023-01-20T00:00:00.000Z", dateReserved: "2021-07-26T00:00:00.000Z", dateUpdated: "2025-04-03T16:02:57.996Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-28364
Vulnerability from cvelistv5
Published
2022-04-09 16:27
Modified
2024-08-03 05:56
Severity ?
EPSS score ?
Summary
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process file parameter via GET. Authentication is required.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T05:56:14.967Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process file parameter via GET. Authentication is required.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-13T15:41:14", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { tags: [ "x_refsource_MISC", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-28364", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process file parameter via GET. Authentication is required.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.reprisesoftware.com/products/software-license-management.php", refsource: "MISC", url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { name: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { name: "https://seclists.org/fulldisclosure/2022/Apr/1", refsource: "MISC", url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-28364", datePublished: "2022-04-09T16:27:44", dateReserved: "2022-04-03T00:00:00", dateUpdated: "2024-08-03T05:56:14.967Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-44155
Vulnerability from cvelistv5
Published
2021-12-13 00:00
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:24.525Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html", }, { tags: [ "x_transferred", ], url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-20T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { url: "http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html", }, { url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-44155", datePublished: "2021-12-13T00:00:00", dateReserved: "2021-11-22T00:00:00", dateUpdated: "2024-08-04T04:17:24.525Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-44154
Vulnerability from cvelistv5
Published
2021-12-13 03:34
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.
References
| ▼ | URL | Tags |
|---|---|---|
| https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | x_refsource_MISC | |
| http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:25.040Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-13T03:34:44", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-44154", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", refsource: "MISC", url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { name: "http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-44154", datePublished: "2021-12-13T03:34:44", dateReserved: "2021-11-22T00:00:00", dateUpdated: "2024-08-04T04:17:25.040Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-15573
Vulnerability from cvelistv5
Published
2018-08-20 02:00
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated "We do not consider this a vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/ | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2021/Dec/18 | mailing-list, x_refsource_FULLDISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T10:01:54.654Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { name: "20211207 (Reprise License Manager) RLM 14.2 - Authenticated Remote Binary Execution", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2021/Dec/18", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-08-19T00:00:00", descriptions: [ { lang: "en", value: "An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated \"We do not consider this a vulnerability.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-07T22:06:07", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { name: "20211207 (Reprise License Manager) RLM 14.2 - Authenticated Remote Binary Execution", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2021/Dec/18", }, ], tags: [ "disputed", ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-15573", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated \"We do not consider this a vulnerability.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", refsource: "MISC", url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { name: "20211207 (Reprise License Manager) RLM 14.2 - Authenticated Remote Binary Execution", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2021/Dec/18", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-15573", datePublished: "2018-08-20T02:00:00", dateReserved: "2018-08-19T00:00:00", dateUpdated: "2024-08-05T10:01:54.654Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-28365
Vulnerability from cvelistv5
Published
2022-04-09 00:00
Modified
2024-08-03 05:56
Severity ?
EPSS score ?
Summary
Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T05:56:14.870Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { tags: [ "x_transferred", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { tags: [ "x_transferred", ], url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-20T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-28365", datePublished: "2022-04-09T00:00:00", dateReserved: "2022-04-03T00:00:00", dateUpdated: "2024-08-03T05:56:14.870Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-44153
Vulnerability from cvelistv5
Published
2021-12-13 03:33
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:23.591Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo \"C:\\Windows\\System32\\calc.exe\" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-13T03:33:19", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-44153", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo \"C:\\Windows\\System32\\calc.exe\" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", refsource: "MISC", url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { name: "http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-44153", datePublished: "2021-12-13T03:33:19", dateReserved: "2021-11-22T00:00:00", dateUpdated: "2024-08-04T04:17:23.591Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-44152
Vulnerability from cvelistv5
Published
2021-12-13 00:00
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:23.589Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html", }, { tags: [ "x_transferred", ], url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-20T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { url: "http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html", }, { url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-44152", datePublished: "2021-12-13T00:00:00", dateReserved: "2021-11-22T00:00:00", dateUpdated: "2024-08-04T04:17:23.589Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2023-01-20 12:15
Modified
2025-04-03 18:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "CE5368A7-9052-45AA-A06D-249B118C27A2", versionEndIncluding: "14.2bl4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.", }, { lang: "es", value: "Vulnerabilidad CRLF en la interfaz web de Reprise License Manager (RLM) hasta 14.2BL4 en el parámetro de contraseña en la función View License Result , que permite a atacantes remotos inyectar encabezados HTTP arbitrarios.", }, ], id: "CVE-2021-37499", lastModified: "2025-04-03T18:15:41.510", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-01-20T12:15:11.350", references: [ { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "http://reprise.com", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "http://reprisesoftware.com", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "http://reprise.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "http://reprisesoftware.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-74", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-74", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2022-04-09 17:15
Modified
2024-11-21 06:57
Severity ?
Summary
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process username parameter via GET. No authentication is required.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2022/Apr/1 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.reprisesoftware.com/products/software-license-management.php | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2022/Apr/1 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reprisesoftware.com/products/software-license-management.php | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process username parameter via GET. No authentication is required.", }, { lang: "es", value: "Reprise License Manager versión 14.2, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en el parámetro /goform/login_process username por medio de GET. No es requerida autenticación", }, ], id: "CVE-2022-28363", lastModified: "2024-11-21T06:57:12.757", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-04-09T17:15:07.907", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-13 04:15
Modified
2024-11-21 06:30
Severity ?
Summary
An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo \"C:\\Windows\\System32\\calc.exe\" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)", }, { lang: "es", value: "Se ha detectado un problema en Reprise RLM versión 14.2. Al editar el archivo de licencia, es posible que un usuario administrador habilite una opción para ejecutar ejecutables arbitrarios, como lo demuestra una entrada de demostración ISV \"C:\\Windows\\System32\\calc.exe\". Un atacante puede explotar esto para ejecutar un binario malicioso en el inicio, o cuando es activada la función Reread/Restart Servers en el servidor web. (La explotación no requiere CVE-2018-15573, porque el archivo de licencia está destinado a ser cambiado en la aplicación)", }, ], id: "CVE-2021-44153", lastModified: "2024-11-21T06:30:27.397", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "COMPLETE", baseScore: 9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:S/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 8, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-13T04:15:07.223", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165194/Reprise-License-Manager-14.2-Remote-Binary-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-20 12:15
Modified
2025-04-03 16:15
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "F7B5DC0A-B263-42A5-8FA4-4B992D9A16C5", versionEndExcluding: "14.2bl4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.", }, { lang: "es", value: "Vulnerabilidad de Directory Traversal en la interfaz web de Reprise License Manager (RLM) anterior a 14.2BL4 en la función de diagnóstico que permite a los usuarios de RLM con privilegios suficientes sobrescribir cualquier archivo en el servidor.", }, ], id: "CVE-2021-37500", lastModified: "2025-04-03T16:15:23.320", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-01-20T12:15:11.507", references: [ { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "http://reprise.com", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "http://reprisesoftware.com", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "http://reprise.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "http://reprisesoftware.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-08-20 02:29
Modified
2024-11-21 03:51
Severity ?
Summary
An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "B7041515-4BE6-4682-AD21-3E7616B9B56F", versionEndIncluding: "12.2bl2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [ { sourceIdentifier: "cve@mitre.org", tags: [ "disputed", ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated \"We do not consider this a vulnerability.\"", }, { lang: "es", value: "** EN DISPUTA ** Se ha descubierto un problema en el editor de licencias en Reprise License Manager (RLM) hasta la versión 12.2.BL2. Es una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro If en /goform/edit_lf_get_data mediante GET o POST. NOTA: el fabricante ha declarado \"No consideramos que esto sea una vulnerabilidad\".", }, ], id: "CVE-2018-15574", lastModified: "2024-11-21T03:51:05.910", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-08-20T02:29:00.543", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { source: "cve@mitre.org", url: "https://reprisesoftware.com/docs/whats-new.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://reprisesoftware.com/docs/whats-new.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-21 15:29
Modified
2024-11-21 04:09
Severity ?
Summary
An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File System of the Server. By specifying a pathname in the POST parameter "lf" to the goform/edit_lf_get_data URI, the attacker can retrieve the content of a file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:11.0:*:*:*:*:*:*:*", matchCriteriaId: "C20627F3-ECAC-46EB-87E5-E5CA6F779F62", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File System of the Server. By specifying a pathname in the POST parameter \"lf\" to the goform/edit_lf_get_data URI, the attacker can retrieve the content of a file.", }, { lang: "es", value: "Se ha descubierto un problema en Reprise License Manager 11.0. La vulnerabilidad es un salto de directorio en el que el atacante, al cambiar un campo en la petición web, puede tener acceso a archivos en el sistema de archivos del servidor. Al especificar un nombre de ruta en el parámetro POST \"If\" en el URI goform/edit_lf_get_data, el atacante puede recuperar el contenido de un archivo.", }, ], id: "CVE-2018-5716", lastModified: "2024-11-21T04:09:14.150", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 8.5, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:S/C:C/I:C/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 9.2, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-21T15:29:00.633", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "http://www.0x90.zone/web/path-traversal/2018/02/16/Path-Traversal-Reprise-LM.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-13 04:15
Modified
2024-11-21 06:30
Severity ?
Summary
An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory | |
| cve@mitre.org | https://www.reprisesoftware.com/RELEASE_NOTES | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reprisesoftware.com/RELEASE_NOTES | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D5405736-5384-409E-AF40-EB026F7C0F68", versionEndExcluding: "15.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.", }, { lang: "es", value: "Se ha detectado un problema en Reprise RLM versión 14.2. Debido a que /goform/change_password_process no verifica la autenticación o la autorización, un usuario no autenticado puede cambiar la contraseña de cualquier usuario presente. Esto permite a un atacante cambiar la contraseña de cualquier usuario conocido, impidiendo así que los usuarios válidos accedan al sistema y concediendo al atacante acceso completo a la cuenta de ese usuario", }, ], id: "CVE-2021-44152", lastModified: "2024-11-21T06:30:27.213", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-13T04:15:07.180", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-306", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-04-09 17:15
Modified
2024-11-21 06:57
Severity ?
Summary
Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2022/Apr/1 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.reprisesoftware.com/RELEASE_NOTES | ||
| cve@mitre.org | https://www.reprisesoftware.com/products/software-license-management.php | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2022/Apr/1 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reprisesoftware.com/RELEASE_NOTES | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reprisesoftware.com/products/software-license-management.php | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.", }, { lang: "es", value: "Reprise License Manager versión 14.2, está afectado por una vulnerabilidad de divulgación de información por medio de una petición GET a /goforms/rlminfo. No es requerida autenticación. La información divulgada está asociada a versiones de software, IDs de procesos, configuración de red, nombre(s) de host, arquitectura del sistema y detalles de archivos/directorios", }, ], id: "CVE-2022-28365", lastModified: "2024-11-21T06:57:13.073", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-04-09T17:15:08.013", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { source: "cve@mitre.org", url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-425", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-12-29 23:15
Modified
2025-04-11 23:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2bl4 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2bl4:*:*:*:*:*:*:*", matchCriteriaId: "285B8AEB-0EBA-4851-A9B6-07D0DF4A91BE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.", }, { lang: "es", value: "XSS en forma de firma en Reprise Software RLM License Administration v14.2BL4 permite a un atacante remoto inyectar código arbitrario a través del campo de contraseña.", }, ], id: "CVE-2022-30519", lastModified: "2025-04-11T23:15:26.610", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2022-12-29T23:15:09.803", references: [ { source: "cve@mitre.org", url: "http://packetstormsecurity.com/files/171627/Reprise-Software-RLM-14.2BL4-Cross-Site-Scripting.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/earth2sky/Disclosed/blob/main/CVE-2022-30519", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://packetstormsecurity.com/files/171627/Reprise-Software-RLM-14.2BL4-Cross-Site-Scripting.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/earth2sky/Disclosed/blob/main/CVE-2022-30519", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2022-04-09 17:15
Modified
2024-11-21 06:57
Severity ?
Summary
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process file parameter via GET. Authentication is required.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2022/Apr/1 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.reprisesoftware.com/products/software-license-management.php | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2022/Apr/1 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reprisesoftware.com/products/software-license-management.php | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process file parameter via GET. Authentication is required.", }, { lang: "es", value: "Reprise License Manager versión 14.2 está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en el parámetro de archivo /goform/rlmswitchr_process por medio de GET. Es requerida autenticación", }, ], id: "CVE-2022-28364", lastModified: "2024-11-21T06:57:12.917", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-04-09T17:15:07.973", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Apr/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.reprisesoftware.com/products/software-license-management.php", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-08-20 02:29
Modified
2024-11-21 03:51
Severity ?
Summary
An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated "We do not consider this a vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2021/Dec/18 | Third Party Advisory | |
| cve@mitre.org | https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2021/Dec/18 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "B7041515-4BE6-4682-AD21-3E7616B9B56F", versionEndIncluding: "12.2bl2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [ { sourceIdentifier: "cve@mitre.org", tags: [ "disputed", ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated \"We do not consider this a vulnerability.", }, { lang: "es", value: "** EN DISPUTA ** Se ha descubierto un problema en Reprise License Manager (RLM) hasta la versión 12.2.BL2. Los atacantes pueden usar la interfaz web para leer y escribir datos en cualquier archivo del disco (siempre y cuando rlm.exe tenga acceso a él) a través de /goform/edit_lf_process con el contenido del archivo en el parámetro lfdata y un nombre de ruta en el parámetro lf. De forma predeterminada, la interfaz web está en el puerto 5054 y no requiere autenticación. NOTA: el fabricante ha declarado \"No consideramos que esto sea una vulnerabilidad\".", }, ], id: "CVE-2018-15573", lastModified: "2024-11-21T03:51:05.737", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 9.3, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-08-20T02:29:00.417", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Dec/18", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Dec/18", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://bittherapy.net/rce-with-arbitrary-file-write-and-xss-in-reprise-license-manager/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-434", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-13 19:15
Modified
2025-03-19 20:15
Severity ?
Summary
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://reprise.com | Broken Link | |
| cve@mitre.org | https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2021-45422/RLM%2014.2%20Cross%20Site%20Scripting.txt | ||
| cve@mitre.org | https://seclists.org/fulldisclosure/2022/Jan/31 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://reprise.com | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2022/Jan/31 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process \"count\" parameter via GET. No authentication is required.", }, { lang: "es", value: "Reprise License Manager versión 14.2, está afectado por una vulnerabilidad de tipo cross-site scripting reflejado en el parámetro /goform/activate_process \"count\" por medio de GET. No es requerida autenticación", }, ], id: "CVE-2021-45422", lastModified: "2025-03-19T20:15:16.623", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-13T19:15:08.540", references: [ { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://reprise.com", }, { source: "cve@mitre.org", url: "https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2021-45422/RLM%2014.2%20Cross%20Site%20Scripting.txt", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Jan/31", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://reprise.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/fulldisclosure/2022/Jan/31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-13 04:15
Modified
2024-11-21 06:30
Severity ?
Summary
An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory | |
| cve@mitre.org | https://www.reprisesoftware.com/RELEASE_NOTES | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reprisesoftware.com/RELEASE_NOTES |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.", }, { lang: "es", value: "Se ha detectado un problema en /goform/login_process en Reprise RLM versión 14.2. Cuando un atacante intenta iniciar sesión, la respuesta si un nombre de usuario es válido incluye Login Failed, pero no incluye esta cadena si el nombre de usuario no es válido. Esto permite a un atacante enumerar usuarios válidos", }, ], id: "CVE-2021-44155", lastModified: "2024-11-21T06:30:27.750", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-13T04:15:07.323", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "cve@mitre.org", url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-209", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-13 04:15
Modified
2024-11-21 06:30
Severity ?
Summary
An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes | Patch, Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.", }, { lang: "es", value: "Se ha detectado un problema en Reprise RLM versión 14.2. Al usar una cuenta de administrador, un atacante puede escribir una carga útil en /goform/edit_opt, que luego será desencadenada al ejecutar los diagnósticos (por medio de /goform/diagnostics_doit), resultando en un desbordamiento del búfer", }, ], id: "CVE-2021-44154", lastModified: "2024-11-21T06:30:27.577", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-13T04:15:07.263", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165193/Reprise-License-Manager-14.2-Buffer-Overflow.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-120", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-13 04:15
Modified
2024-11-21 06:30
Severity ?
Summary
An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | 14.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*", matchCriteriaId: "7398E968-24AF-4006-92A0-B9DDC49EF43D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.", }, { lang: "es", value: "Se ha detectado un problema en Reprise RLM versión 14.2. Como las cookies de sesión son pequeñas, un atacante puede secuestrar cualquier sesión presente forzando la cookie de sesión de 4 caracteres hexadecimales en la versión de Windows (la versión de Linux parece tener 8 caracteres). Un atacante puede obtener la parte estática de la cookie (nombre de la cookie) al hacer primero una petición a cualquier página de la aplicación (por ejemplo, /goforms/menú) y guardando el nombre de la cookie enviada con la respuesta. El atacante puede entonces usar el nombre de la cookie e intentar solicitar esa misma página, estableciendo un valor aleatorio para la cookie. Si algún usuario presenta una sesión activa, la página debería volver con el contenido autorizado, cuando se encuentre un valor de cookie válido", }, ], id: "CVE-2021-44151", lastModified: "2024-11-21T06:30:27.020", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-13T04:15:07.137", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165191/Reprise-License-Manager-14.2-Session-Hijacking.html", }, { source: "cve@mitre.org", tags: [ "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "cve@mitre.org", url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/165191/Reprise-License-Manager-14.2-Session-Hijacking.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", "Vendor Advisory", ], url: "https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.reprisesoftware.com/RELEASE_NOTES", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-330", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-20 12:15
Modified
2025-04-03 13:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| reprisesoftware | reprise_license_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:reprisesoftware:reprise_license_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "CE5368A7-9052-45AA-A06D-249B118C27A2", versionEndIncluding: "14.2bl4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.", }, { lang: "es", value: "Se descubrió un problema SSRF en la interfaz web de Reprise License Manager (RLM) hasta 14.2BL4 que permite a atacantes remotos activar solicitudes salientes a servidores de intranet y realizar escaneos de puertos a través del parámetro acterver en la función Activación de licencia.", }, ], id: "CVE-2021-37498", lastModified: "2025-04-03T13:15:41.377", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-01-20T12:15:10.143", references: [ { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "http://reprise.com", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "http://reprisesoftware.com", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "http://reprise.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "http://reprisesoftware.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/blakduk/Advisories/blob/main/Reprise%20License%20Manager/README.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-918", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-918", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }