Ncr
Products by Ncr Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 2 vulnerabilities in Ncr with an average score of 7.7 out of ten. Ncr did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2024 as compared to last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 2 | 7.65 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 1 | 9.80 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Ncr vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ncr Security Vulnerabilities
Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1
CVE-2023-47022
6.5 - Medium
- February 06, 2024
Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection.
Insecure Direct Object Reference / IDOR
Cross-Site Request Forgery (CSRF) in NCR Terminal Handler v.1.5.1 leads to a one-click account takeover
CVE-2023-47024
8.8 - High
- January 20, 2024
Cross-Site Request Forgery (CSRF) in NCR Terminal Handler v.1.5.1 leads to a one-click account takeover. This is achieved by exploiting multiple vulnerabilities, including an undisclosed function in the WSDL that has weak security controls and can accept custom content types.
Session Riding
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089)
CVE-2021-3122
9.8 - Critical
- February 07, 2021
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Shell injection
Command execution in Sun systems
CVE-1999-0033
- June 12, 1997
Command execution in Sun systems via buffer overflow in the at program.