CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23328
https://notcve.org/view.php?id=CVE-2023-23328
A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. • http://avantfax.com https://github.com/superkojiman/vulnerabilities/blob/master/AvantFAX-3.3.7/README.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23326
https://notcve.org/view.php?id=CVE-2023-23326
A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. • http://avantfax.com https://github.com/superkojiman/vulnerabilities/blob/master/AvantFAX-3.3.7/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23327
https://notcve.org/view.php?id=CVE-2023-23327
An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls. • http://avantfax.com https://github.com/superkojiman/vulnerabilities/blob/master/AvantFAX-3.3.7/README.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •