Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for cellos by cellopoint

    CVE-2020-17386 (GCVE-0-2020-17386)

    Vulnerability from nvd – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:15
    VLAI
    Title
    Cellopoint CelloOS - Server-Side Request Forgery (SSRF)
    Summary
    Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cellopoint CelloOS Affected: 0 , ≤ v4.1.10 Build 20190922 (custom)
    Create a notification for this product.
    Date Public
    2020-08-24 16:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:16.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CelloOS",
              "vendor": "Cellopoint",
              "versions": [
                {
                  "lessThanOrEqual": "v4.1.10 Build 20190922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-24T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.\u003c/p\u003e"
                }
              ],
              "value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-08T09:15:14.444Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update to v4.1.12 Build 20200701 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
              "ID": "CVE-2020-17386",
              "STATE": "PUBLIC",
              "TITLE": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CelloOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "0",
                                "version_value": "v4.1.10 Build 20190922"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cellopoint"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-918 Server-Side Request Forgery (SSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to v4.1.12 Build 20200701 or higher."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2020-17386",
        "datePublished": "2020-08-25T07:35:18.925Z",
        "dateReserved": "2020-08-07T00:00:00.000Z",
        "dateUpdated": "2025-05-08T09:15:14.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17385 (GCVE-0-2020-17385)

    Vulnerability from nvd – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:14
    VLAI
    Title
    Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure
    Summary
    Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.
    CWE
    • Unauthenticated Arbitrary File Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cellopoint CelloOS Affected: 0 , ≤ v4.1.10 Build 20190922 (custom)
    Create a notification for this product.
    Date Public
    2020-08-24 16:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:17.095Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CelloOS",
              "vendor": "Cellopoint",
              "versions": [
                {
                  "lessThanOrEqual": "v4.1.10 Build 20190922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-24T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.\u003c/p\u003e"
                }
              ],
              "value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Unauthenticated Arbitrary File Disclosure",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-08T09:14:05.045Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update to v4.1.12 Build 20200701 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
              "ID": "CVE-2020-17385",
              "STATE": "PUBLIC",
              "TITLE": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CelloOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "0",
                                "version_value": "v4.1.10 Build 20190922"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cellopoint"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Unauthenticated Arbitrary File Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to v4.1.12 Build 20200701 or higher."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2020-17385",
        "datePublished": "2020-08-25T07:35:18.510Z",
        "dateReserved": "2020-08-07T00:00:00.000Z",
        "dateUpdated": "2025-05-08T09:14:05.045Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17384 (GCVE-0-2020-17384)

    Vulnerability from nvd – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:12
    VLAI
    Title
    Cellopoint CelloOS - Remote Command Execution (RCE)
    Summary
    Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
    CWE
    • Remote Command Execution (RCE)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cellopoint CelloOS Affected: 0 , ≤ v4.1.10 Build 20190922 (custom)
    Create a notification for this product.
    Date Public
    2020-08-24 16:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:17.071Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CelloOS",
              "vendor": "Cellopoint",
              "versions": [
                {
                  "lessThanOrEqual": "v4.1.10 Build 20190922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-24T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.\u003c/p\u003e"
                }
              ],
              "value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Command Execution (RCE)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-08T09:12:49.923Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to v4.1.10 Build 20200210 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update to v4.1.10 Build 20200210 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cellopoint CelloOS - Remote Command Execution (RCE)",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
              "ID": "CVE-2020-17384",
              "STATE": "PUBLIC",
              "TITLE": "Cellopoint CelloOS - Remote Command Execution (RCE)"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CelloOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "0",
                                "version_value": "v4.1.10 Build 20190922"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cellopoint"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Command Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to v4.1.10 Build 20200210 or higher."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2020-17384",
        "datePublished": "2020-08-25T07:35:18.103Z",
        "dateReserved": "2020-08-07T00:00:00.000Z",
        "dateUpdated": "2025-05-08T09:12:49.923Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17386 (GCVE-0-2020-17386)

    Vulnerability from cvelistv5 – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:15
    VLAI
    Title
    Cellopoint CelloOS - Server-Side Request Forgery (SSRF)
    Summary
    Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cellopoint CelloOS Affected: 0 , ≤ v4.1.10 Build 20190922 (custom)
    Create a notification for this product.
    Date Public
    2020-08-24 16:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:16.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CelloOS",
              "vendor": "Cellopoint",
              "versions": [
                {
                  "lessThanOrEqual": "v4.1.10 Build 20190922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-24T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.\u003c/p\u003e"
                }
              ],
              "value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-08T09:15:14.444Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update to v4.1.12 Build 20200701 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
              "ID": "CVE-2020-17386",
              "STATE": "PUBLIC",
              "TITLE": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CelloOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "0",
                                "version_value": "v4.1.10 Build 20190922"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cellopoint"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-918 Server-Side Request Forgery (SSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to v4.1.12 Build 20200701 or higher."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2020-17386",
        "datePublished": "2020-08-25T07:35:18.925Z",
        "dateReserved": "2020-08-07T00:00:00.000Z",
        "dateUpdated": "2025-05-08T09:15:14.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17385 (GCVE-0-2020-17385)

    Vulnerability from cvelistv5 – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:14
    VLAI
    Title
    Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure
    Summary
    Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.
    CWE
    • Unauthenticated Arbitrary File Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cellopoint CelloOS Affected: 0 , ≤ v4.1.10 Build 20190922 (custom)
    Create a notification for this product.
    Date Public
    2020-08-24 16:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:17.095Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CelloOS",
              "vendor": "Cellopoint",
              "versions": [
                {
                  "lessThanOrEqual": "v4.1.10 Build 20190922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-24T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.\u003c/p\u003e"
                }
              ],
              "value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Unauthenticated Arbitrary File Disclosure",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-08T09:14:05.045Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update to v4.1.12 Build 20200701 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
              "ID": "CVE-2020-17385",
              "STATE": "PUBLIC",
              "TITLE": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CelloOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "0",
                                "version_value": "v4.1.10 Build 20190922"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cellopoint"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Unauthenticated Arbitrary File Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to v4.1.12 Build 20200701 or higher."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2020-17385",
        "datePublished": "2020-08-25T07:35:18.510Z",
        "dateReserved": "2020-08-07T00:00:00.000Z",
        "dateUpdated": "2025-05-08T09:14:05.045Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17384 (GCVE-0-2020-17384)

    Vulnerability from cvelistv5 – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:12
    VLAI
    Title
    Cellopoint CelloOS - Remote Command Execution (RCE)
    Summary
    Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
    CWE
    • Remote Command Execution (RCE)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cellopoint CelloOS Affected: 0 , ≤ v4.1.10 Build 20190922 (custom)
    Create a notification for this product.
    Date Public
    2020-08-24 16:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:17.071Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CelloOS",
              "vendor": "Cellopoint",
              "versions": [
                {
                  "lessThanOrEqual": "v4.1.10 Build 20190922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-24T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.\u003c/p\u003e"
                }
              ],
              "value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Command Execution (RCE)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-08T09:12:49.923Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate to v4.1.10 Build 20200210 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update to v4.1.10 Build 20200210 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cellopoint CelloOS - Remote Command Execution (RCE)",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
              "ID": "CVE-2020-17384",
              "STATE": "PUBLIC",
              "TITLE": "Cellopoint CelloOS - Remote Command Execution (RCE)"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CelloOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "0",
                                "version_value": "v4.1.10 Build 20190922"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cellopoint"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Command Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to v4.1.10 Build 20200210 or higher."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2020-17384",
        "datePublished": "2020-08-25T07:35:18.103Z",
        "dateReserved": "2020-08-07T00:00:00.000Z",
        "dateUpdated": "2025-05-08T09:12:49.923Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }