CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32352
https://notcve.org/view.php?id=CVE-2025-32352
05 Apr 2025 — A type confusion vulnerability in lib/NSSAuthenticator.php in ZendTo before v5.04-7 allows remote attackers to bypass authentication for users with passwords stored as MD5 hashes that can be interpreted as numbers. A solution requires moving from MD5 to bcrypt. • https://projectblack.io/blog/zendto-nday-vulnerabilities • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27888
https://notcve.org/view.php?id=CVE-2021-27888
02 Mar 2021 — ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. ZendTo versiones anteriores a 6.06-4 Beta, permite un ataque de tipo XSS durante el despliegue de una entrega en la que un nombre de archivo tiene caracteres no previstos • https://zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 123EXPL: 0CVE-2020-8986
https://notcve.org/view.php?id=CVE-2020-8986
24 Mar 2020 — lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests. La biblioteca lib/NSSDropbox.php en ZendTo versiones anteriores a 5.22-2 Beta, presentó un fallo en comprobación de igualdad de forma apropiada cuando se valida la cookie de sesión, permitiendo a un atacante conseguir acceso administrativo con una gran cantidad de peticiones. • https://zend.to/changelog.php • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 8.8EPSS: 0%CPEs: 123EXPL: 0CVE-2020-8985
https://notcve.org/view.php?id=CVE-2020-8985
24 Mar 2020 — ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality. ZendTo versiones anteriores a 5.22-2 Beta, permitía unos ataques de tipo XSS y CSRF reflejado por medio de la funcionalidad unlock user unlock.tpl. • https://zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 123EXPL: 0CVE-2020-8984
https://notcve.org/view.php?id=CVE-2020-8984
24 Mar 2020 — lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header. En la biblioteca lib/NSSDropbox.php en ZendTo versiones anteriores a 5.22-2 Beta, permitió la suplantación de direcciones IP por medio del encabezado X-Fordered-For. • http://jul.es/pipermail/zendto/2020-January/003845.html • CWE-346: Origin Validation Error •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000841
https://notcve.org/view.php?id=CVE-2018-1000841
20 Dec 2018 — Zend.To version Prior to 5.15-1 contains a Cross Site Scripting (XSS) vulnerability in The verify.php page that can result in An attacker could execute arbitrary Javascript code in the context of the victim's browser.. This attack appear to be exploitable via HTTP POST request. This vulnerability appears to have been fixed in 5.16-1 Beta. Zend.To, en versiones anteriores a la 5.15-1, contiene una vulnerabilidad Cross Site Scripting (XSS) en la página verify.php que puede resultar en que un atacante podría e... • https://zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 22EXPL: 1CVE-2013-6808
https://notcve.org/view.php?id=CVE-2013-6808
28 Dec 2013 — Cross-site scripting (XSS) vulnerability in lib/NSSDropoff.php in ZendTo before 4.11-13 allows remote attackers to inject arbitrary web script or HTML via a modified emailAddr field to pickup.php. Cross-site scripting (XSS) en lib / NSSDropoff.php en ZendTo anterior a 4,11-13, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un campo emailAddr modificado en pickup.php. • http://www.zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •