Vulnerabilities (CVE)

Filtered by vendor Hyland Subscribe
Total 24 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-49964 1 Hyland 1 Alfresco Content Services 2023-12-14 N/A 8.8 HIGH
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
CVE-2021-32828 1 Hyland 1 Nuxeo 2023-12-10 N/A 6.1 MEDIUM
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.
CVE-2022-23342 1 Hyland 1 Onbase 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.
CVE-2020-25259 1 Hyland 1 Onbase 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner.
CVE-2020-25254 1 Hyland 1 Onbase 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.
CVE-2020-25249 1 Hyland 1 Onbase 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client application specifies that logging is desired. This can be problematic for use cases in a regulated industry, where server-side logging is required in additional situations.
CVE-2020-25257 1 Hyland 1 Onbase 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files.
CVE-2020-25252 1 Hyland 1 Onbase 2023-12-10 6.8 MEDIUM 8.8 HIGH
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).
CVE-2020-25256 1 Hyland 1 Onbase 2023-12-10 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers' installations.
CVE-2020-25251 1 Hyland 1 Onbase 2023-12-10 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information.
CVE-2020-25260 1 Hyland 1 Onbase 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.
CVE-2020-25253 1 Hyland 1 Onbase 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId, or Password parameter.
CVE-2020-25255 1 Hyland 1 Onbase 2023-12-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.
CVE-2020-25250 1 Hyland 1 Onbase 2023-12-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs.
CVE-2020-25258 1 Hyland 1 Onbase 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.
CVE-2020-25247 1 Hyland 1 Onbase 2023-12-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. Directory traversal exists for writing to files, as demonstrated by the FileName parameter.
CVE-2020-25248 1 Hyland 1 Onbase 2023-12-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter.
CVE-2018-19629 1 Hyland 1 Perceptive Content Server 2023-12-10 5.0 MEDIUM 7.5 HIGH
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
CVE-2018-6293 1 Hyland 1 Saperion Web Client 2023-12-10 5.0 MEDIUM 7.5 HIGH
Arbitrary File Read in Saperion Web Client version 7.5.2 83166.
CVE-2018-6292 1 Hyland 1 Saperion Web Client 2023-12-10 10.0 HIGH 9.8 CRITICAL
Remote Code Execution in Saperion Web Client version 7.5.2 83166.