MidnightBSD

Advisories for lumension

CVE-2006-3425 HIGH

FastPatch for (a) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2.x before 6.2 SR1 P1, and (b) Novell ZENworks 6.2 SR1 and earlier, does not require authentication for dagent/proxyreg.asp, which allows remote attackers to list, add, or delete PatchLink Distribution Point (PDP) proxy servers via modified (1) List, (2) Proxy, or (3) Delete parameters.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
lumension patchlink_update_server 6.2.0.189
lumension patchlink_update_server 6.2.0.181
lumension patchlink_update_server 6.1
novell zenworks *
CVE-2006-3426 MEDIUM

Directory traversal vulnerability in (a) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2.x before 6.2 SR1 P1 and (b) Novell ZENworks 6.2 SR1 and earlier allows remote attackers to overwrite arbitrary files and directories via a .. (dot dot) sequence in the (1) action, (2) agentid, or (3) index parameters to dagent/nwupload.asp, which are used as pathname components.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
lumension patchlink_update_server 6.2.0.189
lumension patchlink_update_server 6.2.0.181
lumension patchlink_update_server 6.1
novell zenworks *
CVE-2006-3430 HIGH

SQL injection vulnerability in checkprofile.asp in (1) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2.x before 6.2 SR1 P1 and (2) Novell ZENworks 6.2 SR1 and earlier, allows remote attackers to execute arbitrary SQL commands via the agentid parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
lumension patchlink_update_server 6.2.0.189
lumension patchlink_update_server 6.2.0.181
lumension patchlink_update_server 6.1
novell zenworks *