Product Security Incident Response Team Portal

Nozomi Networks Product Security Incident Response Team (PSIRT) is responsible for investigating security concerns that potentially may affect our products and services.

NN-2024:2-01 | 2024-09-11 | Last update: 2024-09-19

Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0

NN-2023:16-01 | 2024-05-15 | Last update: 2024-05-20

Path traversal via 'zip slip' in Arc before v1.6.0

NN-2023:15-01 | 2024-05-15 | Last update: 2024-09-19

Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0

NN-2023:14-01 | 2024-05-15 | Last update: 2024-05-20

Unsafe temporary data privileges on Unix systems in Arc before v1.6.0

NN-2023:13-01 | 2024-05-15 | Last update: 2024-05-20

Missing authentication for local web interface in Arc before v1.6.0

NN-2024:1-01 | 2024-04-10 | Last update: 2024-09-19

DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1

NN-2023:17-01 | 2024-04-10 | Last update: 2024-09-19

Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1

NN-2023:12-01 | 2024-01-15 | Last update: 2024-09-19

Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0

NN-2023:9-01 | 2023-09-18 | Last update: 2024-09-19

Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0

NN-2023:11-01 | 2023-09-18 | Last update: 2024-09-19

SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0

NN-2023:10-01 | 2023-09-18 | Last update: 2024-09-19

DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0

NN-2023:8-01 | 2023-08-09 | Last update: 2024-09-19

Session Fixation in Guardian/CMC before 22.6.2

NN-2023:7-01 | 2023-08-09 | Last update: 2024-09-19

DoS via SAML configuration in Guardian/CMC before 22.6.2

NN-2023:6-01 | 2023-08-09 | Last update: 2024-09-19

Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2

NN-2023:5-01 | 2023-08-09 | Last update: 2024-05-20

Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2

NN-2023:4-01 | 2023-08-09 | Last update: 2024-09-19

Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2

NN-2023:3-01 | 2023-08-09 | Last update: 2024-09-19

Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2

NN-2023:2-01 | 2023-08-09 | Last update: 2024-09-19

Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2

NN-2023:1-01 | 2023-05-03 | Last update: 2024-05-20

Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2

NN-2022:2-02 | 2022-02-14 | Last update: 2024-09-19

Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0

NN-2022:2-01 | 2022-02-14 | Last update: 2024-09-19

Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0

NN-2021:2-01 | 2021-02-04 | Last update: 2024-05-20

Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4

NN-2021:1-01 | 2021-02-04 | Last update: 2024-05-20

Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4

NN-2020:3-01 | 2020-05-26 | Last update: 2024-05-20

Angular template injection on custom report name field

NN-2020:2-01 | 2020-05-26 | Last update: 2024-05-20

Cross-site request forgery attack on change password form

NN-2020:1-01 | 2020-02-25 | Last update: 2024-05-20

NGINX allows HTTP request smuggling

NN-2019:2-01 | 2019-11-11 | Last update: 2024-05-20

CSV Injection on node label

NN-2019:1-01 | 2019-11-11 | Last update: 2024-05-20

Stored XSS in field name data model

Read more about our incident response policy or contact PSIRT using our GPG key.