Web application abuses : Portainer < 1.22.1 Multiple Vulnerabilities

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.114162

Kategorie: Web application abuses

Titel: Portainer < 1.22.1 Multiple Vulnerabilities

Zusammenfassung: Portainer is prone to multiple vulnerabilities.

Beschreibung: Summary:
Portainer is prone to multiple vulnerabilities.

Vulnerability Insight:
Portainer is prone to multiple vulnerabilities:

- An Unrestricted Host Filesystem Access vulnerability exists in Stack creation feature
in Portainer. Successful exploitation of this vulnerability would allow an
authenticated user to gain full permission on the host filesystem. (CVE-2019-16872)

- A Stored Cross-Site Scripting vulnerability exists in the isteven-multi-select component
in Portainer. Successful exploitation of this vulnerability would allow authenticated users
to inject arbitrary Javascript into Portainer pages viewed by other users. (CVE-2019-16873)

- An Improper Access Control vulnerability exists in the RBAC extension in Portainer.
Successful exploitation of this vulnerability would allow Helpdesk users to access sensitive
information via the volume browsing feature. (CVE-2019-16874)

- A path traversal vulnerability exists in Portainer. Successful exploitation of this
vulnerability would allow an authenticated user to upload files to an arbitrary location. (CVE-2019-16876)

- An authorization bypass vulnerability exists in Portainer. Successful exploitation of this
vulnerability would allow an authenticated user to gain full permission on a host filesystem
via the Host Management API. (CVE-2019-16877)

- A Stored Cross-Site Scripting vulnerability exists in the file removal confirmation modal
in Portainer. Successful exploitation of this vulnerability would allow an authenticated user
to inject arbitrary Javascript into Portainer pages viewed by other users. (CVE-2019-16878)

Affected Software/OS:
Portainer versions before 1.22.1.

Solution:
Update to Portainer 1.22.1 or later.

CVSS Score:
9.0

CVSS Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2019-16872
Common Vulnerability Exposure (CVE) ID: CVE-2019-16873
Common Vulnerability Exposure (CVE) ID: CVE-2019-16874
Common Vulnerability Exposure (CVE) ID: CVE-2019-16876
Common Vulnerability Exposure (CVE) ID: CVE-2019-16877
Common Vulnerability Exposure (CVE) ID: CVE-2019-16878

Copyright Copyright (C) 2019 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.114162
Kategorie:	Web application abuses
Titel:	Portainer < 1.22.1 Multiple Vulnerabilities
Zusammenfassung:	Portainer is prone to multiple vulnerabilities.
Beschreibung:	Summary: Portainer is prone to multiple vulnerabilities. Vulnerability Insight: Portainer is prone to multiple vulnerabilities: - An Unrestricted Host Filesystem Access vulnerability exists in Stack creation feature in Portainer. Successful exploitation of this vulnerability would allow an authenticated user to gain full permission on the host filesystem. (CVE-2019-16872) - A Stored Cross-Site Scripting vulnerability exists in the isteven-multi-select component in Portainer. Successful exploitation of this vulnerability would allow authenticated users to inject arbitrary Javascript into Portainer pages viewed by other users. (CVE-2019-16873) - An Improper Access Control vulnerability exists in the RBAC extension in Portainer. Successful exploitation of this vulnerability would allow Helpdesk users to access sensitive information via the volume browsing feature. (CVE-2019-16874) - A path traversal vulnerability exists in Portainer. Successful exploitation of this vulnerability would allow an authenticated user to upload files to an arbitrary location. (CVE-2019-16876) - An authorization bypass vulnerability exists in Portainer. Successful exploitation of this vulnerability would allow an authenticated user to gain full permission on a host filesystem via the Host Management API. (CVE-2019-16877) - A Stored Cross-Site Scripting vulnerability exists in the file removal confirmation modal in Portainer. Successful exploitation of this vulnerability would allow an authenticated user to inject arbitrary Javascript into Portainer pages viewed by other users. (CVE-2019-16878) Affected Software/OS: Portainer versions before 1.22.1. Solution: Update to Portainer 1.22.1 or later. CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-16872 Common Vulnerability Exposure (CVE) ID: CVE-2019-16873 Common Vulnerability Exposure (CVE) ID: CVE-2019-16874 Common Vulnerability Exposure (CVE) ID: CVE-2019-16876 Common Vulnerability Exposure (CVE) ID: CVE-2019-16877 Common Vulnerability Exposure (CVE) ID: CVE-2019-16878
Copyright	Copyright (C) 2019 Greenbone Networks GmbH