Show filters
9 Total Results
Displaying 1-9 of 9
Sort by:
Attacker Value
Unknown

CVE-2019-17120

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited.
Attack Vector: NetworkPrivileges: NoneUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2019-17119

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
Multiple SQL injection vulnerabilities in Logs.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allow authenticated users to execute arbitrary SQL commands via the source or subString parameter.
Attack Vector: NetworkPrivileges: LowUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2019-17118

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
A CSRF issue in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows a remote attacker to trick an authenticated user into performing unintended actions such as (1) create or delete admin users; (2) create or delete groups; or (3) create, delete, enable, or disable normal users or devices.
Attack Vector: NetworkPrivileges: NoneUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2019-17117

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
A SQL injection vulnerability in processPref.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows an authenticated user to execute arbitrary SQL commands via the processPref.jsp key parameter.
Attack Vector: NetworkPrivileges: LowUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2019-17114

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allows remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/userPreregistration.jsp. The preRegistrationData parameter is vulnerable: a reflected cross-site scripting occurs immediately after a .csv file is uploaded. The malicious script is stored and can be executed again when the List Pre-Registration functionality is used.
Attack Vector: NetworkPrivileges: NoneUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2019-16917

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
WiKID Enterprise 2FA (two factor authentication) Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint. The uid and domain parameters are used, unsanitized, in a SQL query constructed in the buildSearchWhereClause function.
Attack Vector: NetworkPrivileges: LowUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2019-17116

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/groups.jsp. The groupName parameter is vulnerable: the reflected cross-site scripting occurs immediately after the group is created. The malicious script is stored and will be executed again whenever /WiKIDAdmin/groups.jsp is visited.
Attack Vector: NetworkPrivileges: NoneUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2019-17115

Disclosure Date: October 17, 2019 (last updated November 27, 2024)
Multiple cross-site scripting (XSS) vulnerabilities in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML that is triggered when Logs.jsp is visited. The rendered_message column is retrieved and displayed, unsanitized, on Logs.jsp. A remote attack can populate the rendered_message column with malicious values via: (1) H parameter to /wikid/servlet/com.wikidsystems.server.GetDomainHash (2) S parameter to: - /wikid/DomainData - /wikid/PreRegisterLookup - /wikid/PreRegister - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES (3) a parameter to: - /wikid/PreRegisterLookup - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S -…
Attack Vector: NetworkPrivileges: NoneUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2008-4763

Disclosure Date: October 28, 2008 (last updated October 04, 2023)
Multiple cross-site scripting (XSS) vulnerabilities in sample.php in WiKID wClient-PHP 3.0-2 and earlier allow remote attackers to inject arbitrary web script or HTML via the PHP_SELF variable.
0
0