Daniel Morales - Security Researcher - Exploit Intelligence Platform

CVE-2021-46354 EXPLOITDB HIGH text WRITEUP

Thinfinity VirtualUI <3.0 - Info Disclosure

Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.

CVSS 7.5

View Code

CVE-2021-45092 EXPLOITDB CRITICAL text WRITEUP

Thinfinity VirtualUI <3.0 - Code Injection

Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.

CVSS 9.8

View Code

CVE-2021-44848 EXPLOITDB MEDIUM text WRITEUP

Thinfinity VirtualUI < 3.0 - User Enumeration via Password Change Response Discrepancy

In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.

CVSS 5.3

View Code