5 results (0.008 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. • http://avantfax.com https://github.com/superkojiman/vulnerabilities/blob/master/AvantFAX-3.3.7/README.md • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. • http://avantfax.com https://github.com/superkojiman/vulnerabilities/blob/master/AvantFAX-3.3.7/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1

An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls. • http://avantfax.com https://github.com/superkojiman/vulnerabilities/blob/master/AvantFAX-3.3.7/README.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection. El archivo sendfax.php en iFAX AvantFAX versiones anteriores a 3.3.6 e HylaFAX Enterprise Web Interface versiones anteriores a 0.2.5, permite una Inyección de Comandos autenticada. • ftp://ftp.ifax.com/security/CVE-2020-11766.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. AvantFAX 3.3.3 tiene Cross-Site Scripting (XSS) mediante un nombre de parámetro arbitrario en la URI por defecto, tal y como queda demostrado con un parámetro cuyo nombre contiene un elemento SCRIPT y cuyo valor es 1. AvantFAX version 3.3.3 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •