Lodestone Security

9 exploits Active since May 2020
CVE-2019-18864 WRITEUP HIGH WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - Info Disclosure
/server-info and /server-status in Blaauw Remote Kiln Control through v3.00r4 allow an unauthenticated attacker to gain sensitive information about the host machine.
CVSS 7.5
CVE-2019-18865 WRITEUP MEDIUM WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - Info Disclosure
Information disclosure via error message discrepancies in authentication functions in Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to enumerate valid usernames.
CVSS 5.3
CVE-2019-18866 WRITEUP HIGH WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - SQL Injection
Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database.
CVSS 7.5
CVE-2019-18867 WRITEUP HIGH WRITEUP
Blaauw Remote Kiln Control <3.00r4 - Info Disclosure
Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. This affects /ajax/, /common/, /engine/, /flash/, /images/, /Images/, /jscripts/, /lang/, /layout/, /programs/, and /sms/.
CVSS 7.5
CVE-2019-18868 WRITEUP CRITICAL WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - Info Disclosure
Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak.
CVSS 9.8
CVE-2019-18869 WRITEUP CRITICAL WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - RCE
Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allows a user to execute arbitrary php code via /default.php?idx=17.
CVSS 9.8
CVE-2019-18870 WRITEUP MEDIUM WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - Path Traversal
A path traversal via the iniFile parameter in excel.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to download arbitrary files from the host machine.
CVSS 6.5
CVE-2019-18871 WRITEUP HIGH WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - Path Traversal
A path traversal in debug.php accessed via default.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to upload arbitrary files, leading to arbitrary remote code execution.
CVSS 8.8
CVE-2019-18872 WRITEUP HIGH WRITEUP
Blaauw Remote Kiln Control <v3.00r4 - Info Disclosure
Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234).
CVSS 7.5