Approved changes feed: RSS · Atom
cpe:2.3:a:hyland:onbase:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Hyland (4cbf6081-43e8-5c1e-b8e8-d0a0dad432d9) |
|---|---|
| Product | Onbase (dd4e3b3e-9746-54e6-9312-6abe0dad1066) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-26221 |
vulnerable | 2026-06-03 15:18:05.431543 |
Hyland OnBase Timer Service Unauthenticated .NET Remoting RCE
CRITICAL (9.8)
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
Published: 2026-02-13T15:21:48.928Z
Updated: 2026-05-25T23:41:44.966Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-34153 |
vulnerable | 2026-06-03 15:00:43.768070 |
Hyland OnBase < 17.0.2.87 .NET Remoting TCP Channel Unauthenticated RCE
Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM.
Published: 2025-08-13T16:51:26.020Z
Updated: 2026-05-15T11:14:55.234Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23342 |
vulnerable | 2026-06-03 14:46:27.034606 |
Details available
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.
Published: 2022-06-21T13:29:21.000Z
Updated: 2024-08-03T03:36:20.420Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25260 |
vulnerable | 2026-06-03 14:42:09.086769 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.
Published: 2020-09-11T02:18:53.000Z
Updated: 2024-08-04T15:33:05.587Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25259 |
vulnerable | 2026-06-03 14:42:09.086480 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner.
Published: 2020-09-11T02:19:03.000Z
Updated: 2024-08-04T15:33:05.331Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25258 |
vulnerable | 2026-06-03 14:42:09.086193 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.
Published: 2020-09-11T02:19:15.000Z
Updated: 2024-08-04T15:33:05.439Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25257 |
vulnerable | 2026-06-03 14:42:09.085891 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files.
Published: 2020-09-11T02:19:24.000Z
Updated: 2024-08-04T15:33:05.562Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25256 |
vulnerable | 2026-06-03 14:42:09.085597 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers' installations.
Published: 2020-09-11T02:19:35.000Z
Updated: 2024-08-04T15:33:05.557Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25255 |
vulnerable | 2026-06-03 14:42:09.085312 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.
Published: 2020-09-11T02:19:51.000Z
Updated: 2024-08-04T15:33:05.409Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25254 |
vulnerable | 2026-06-03 14:42:09.085005 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.
Published: 2020-09-11T02:20:00.000Z
Updated: 2024-08-04T15:33:05.320Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25253 |
vulnerable | 2026-06-03 14:42:09.084665 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId, or Password parameter.
Published: 2020-09-11T02:20:09.000Z
Updated: 2024-08-04T15:33:05.564Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25252 |
vulnerable | 2026-06-03 14:42:09.084271 |
Details available
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).
Published: 2020-09-11T02:20:19.000Z
Updated: 2024-08-04T15:33:05.463Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25251 |
vulnerable | 2026-06-03 14:42:09.083982 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information.
Published: 2020-09-11T02:20:27.000Z
Updated: 2024-08-04T15:33:05.388Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25250 |
vulnerable | 2026-06-03 14:42:09.083689 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs.
Published: 2020-09-11T02:20:39.000Z
Updated: 2024-08-04T15:33:05.586Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25249 |
vulnerable | 2026-06-03 14:42:09.083385 |
Details available
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client application specifies that logging is desired. This can be problematic for use cases in a regulated industry, where server-side logging is required in additional situations.
Published: 2020-09-11T02:20:47.000Z
Updated: 2024-08-04T15:33:05.523Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25248 |
vulnerable | 2026-06-03 14:42:09.083049 |
Details available
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter.
Published: 2020-09-11T02:20:55.000Z
Updated: 2024-08-04T15:33:05.667Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-25247 |
vulnerable | 2026-06-03 14:42:09.082580 |
Details available
An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. Directory traversal exists for writing to files, as demonstrated by the FileName parameter.
Published: 2020-09-11T02:21:04.000Z
Updated: 2024-08-04T15:33:05.472Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.