The vulnerability is addressed in the 2018.1, 2018.2 versions of CloudVision Portal

Overview :
In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train allows users with read-only permissions to bypass permissions for restricted functionality via CVP API calls through the Configlet Builder modules. This vulnerability can potentially enable authenticated users with read-only access to take actions that are otherwise restricted in the GUI.
Affected Product(s) :
  • All releases in the 2018.1 Code train
  • All releases in the 2018.2 Code train
Vulnerability Details :
CVE ID : CVE-2019-15006
CVSSv3 Base Score: 5.6 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

Solution :

The vulnerability is addressed in the 2019.1.0 and later versions of CloudVision Portal. We recommend upgrading to a remediated release to safeguard against this vulnerability.

Additionally, for the 2018.2 release train, a hotfix is available in the form of a python script that updates permissions for the affected APIs. For the 2018.1 code train, the suggested course of action is to upgrade to one of the remediated release versions (2019.1.0 and above).

Patch file download URL: SecAdvisory0044Hotfix.pyc

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-1840 : Home Clean Services Management System Stored Cross-Site Scripting (XSS)

CVE-2022-1840 : Home Clean Services Management System Stored Cross-Site Scripting (XSS)

Description Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being

CVE-2022-1558 : Multiple Stored Cross-Site Scripting vulnerabilities in WordPress curtain plugin 1.0.2

CVE-2022-1558 : Multiple Stored Cross-Site Scripting vulnerabilities in WordPress curtain plugin 1.0.2

Description Several Cross-Site Scripting vulnerabilities in the Curtain WordPress plugin. Due to these Cross-Site Scripting vulnerabilities, an attacker would be

CVE-2022-AVAST2 : Self-Defense Bypass via Repairing Function

CVE-2022-AVAST2 : Self-Defense Bypass via Repairing Function

Description It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned