05. 10. 2022
Bug Fixes, NetEye
NetEye 4 Asset – Security Advisory – Multiple Vulnerabilities
Important: Multiple Security updates for NetEye 4
Security Advisory: Critical
Wuerth Phoenix has released some Critical Patches (CPs) for NetEye 4. These CPs resolve multiple vulnerabilities related to SQL injections, Cross Site Scripting and an unauthenticated remote command execution (RCE) exploit.
GLPI was affected by:
- [Critical] RCE using a third-party library script (CVE-2022-35914).
- [Critical] Privilege Escalation by authentication via SQL injection (CVE-2022-35947)
- XSS through registration API (CVE-2022-35945)
- Leak of sensitive information through login page error (CVE-2022-31143)
- SQL injection through plugin controller (CVE-2022-35946)
Security Fix(es) for NetEye >= 4.23:
CVE-2022-35914 RCE workaround for older NetEye 4 versions
/usr/share/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php file from the filesystem on all NetEye nodes. This will prevent unauthenticated attackers to compromise your NetEye installation.
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
All NetEye 4.x versions prior to and including 4.26.
Latest posts by Gianluca Piccolo