CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39691
https://notcve.org/view.php?id=CVE-2023-39691
An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request. Un problema descubierto en kodbox hasta la versión 1.43 permite a los atacantes agregar arbitrariamente cuentas de administrador mediante una solicitud GET manipulada. • https://blog.mo60.cn/index.php/archives/kodbox_Logical.html •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52068
https://notcve.org/view.php?id=CVE-2023-52068
kodbox v1.43 was discovered to contain a cross-site scripting (XSS) vulnerability via the operation and login logs. Se descubrió que kodbox v1.43 contenía una vulnerabilidad de cross site scripting (XSS) a través de los registros de operación e inicio de sesión. • https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss.html_Password_Kodbox_Stored_Xss1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6849 – kalcaddle kodbox app.php cover server-side request forgery
https://notcve.org/view.php?id=CVE-2023-6849
A vulnerability was found in kalcaddle kodbox up to 1.48. It has been rated as critical. Affected by this issue is the function cover of the file plugins/fileThumb/app.php. The manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. • https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c https://github.com/kalcaddle/kodbox/releases/tag/1.48.04 https://note.zhaoj.in/share/jSsPAWT1pKsq https://vuldb.com/?ctiid.248210 https://vuldb.com/?id.248210 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6848 – kalcaddle kodbox index.class.php check command injection
https://notcve.org/view.php?id=CVE-2023-6848
A vulnerability was found in kalcaddle kodbox up to 1.48. It has been declared as critical. Affected by this vulnerability is the function check of the file plugins/officeViewer/controller/libreOffice/index.class.php. The manipulation of the argument soffice leads to command injection. The attack can be launched remotely. • https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c https://github.com/kalcaddle/kodbox/releases/tag/1.48.04 https://note.zhaoj.in/share/pf838kAzQyTQ https://vuldb.com/?ctiid.248209 https://vuldb.com/?id.248209 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48028
https://notcve.org/view.php?id=CVE-2023-48028
kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack. kodbox 1.46.01 tiene una falla de seguridad que permite la enumeración de usuarios. Este problema está presente en la página de inicio de sesión, donde un atacante puede identificar usuarios válidos basándose en diferentes mensajes de respuesta, lo que potencialmente allana el camino para un ataque de fuerza bruta. • https://github.com/nitipoom-jar/CVE-2023-48028 https://gist.github.com/bugplorer/9ae8ad7a9f2a3053ebd07a1b7b54deae https://nitipoom-jar.github.io/CVE-2023-48028 • CWE-307: Improper Restriction of Excessive Authentication Attempts •