Novus Managment System Vulnerabilities (CVE-2021-34820, CVE-2021-38421)

Hello,

Vulnerabilities mentioned below are fixed in the NMS with 1.51.2 version.
Vendor has already published the patches. Please visit
https://nms.aat.pl/en/ to download patches for the NMS software. I believe
that all NMS software with version below 1.51.2 is affected by Web Path
Traversal and Cross-Site Scripting vulnerabilities. However the vendor was
not able to provide a clear statement  about affected versions of NMS
software.

CVE-2021-34820  - Web Path Directory Traversal

Web Path Directory Traversal in the Novus HTTP Server. The Novus HTTP
Server is affected by the Directory Traversal for Arbitrary File Access
vulnerability. A remote, unauthenticated attacker using an HTTP GET request
may be able to exploit this issue to access sensitive data. The issue was
discovered in the NMS (Novus Management System) software.

Severity: Critical CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L (10)
Credit: Dariusz Gońda

CVE-2021-38421 Cross Site Scripting (Reflected)

The NMS before version 1.51.2, the WebUI has wrong HTTP 404 error handling
implemented. A remote, unauthenticated attacker may be able to exploit the
issue by sending malicious HTTP requests to non-existing URIs. The value of
the URL path filename is copied into the HTML document as plain text
tags.

Severity: Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)
Credit: Dariusz Gońda

Timeline:

10 April 2021 - bug discovered
12 April 2021 - vendor informed
13 April 2021 - vendor asked to provide more details about Web Directory
Path Traversal issue 20 April 2021 - vendor confirmed vulnerabilities
16 June 2021 - vendor provided the statement that a patch has been already
published
17 June 2021 – CVE numbers assigned
8 July 2021 - vulnerabilities published

Regards,
Dariusz Gońda

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/