CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25728
https://notcve.org/view.php?id=CVE-2020-25728
The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. El add-on Reset Password versiones anteriores a 1.2.0 para Alfresco, presenta un algoritmo roto (que implica un incremento) que permite a un usuario malicioso cambiar la contraseña de la cuenta de cualquier usuario, incluyendo la cuenta de administrador • https://amriunix.com/post/alfresco-reset-password-add-on-0-day-vulnerabilities • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2020-8778 – Alfresco 5.2.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-8778
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project. Alfresco Enterprise versiones anteriores a 5.2.7 y Alfresco Community versiones anteriores a 6.2.0 (rb65251d6-b368), presentan una vulnerabilidad de tipo XSS por medio de un documento cargado, cuando el atacante posee acceso de escritura a un proyecto. Alfresco version 5.2.4 suffers from multiple persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/48162 http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html https://gitlab.com/snippets/1937042 https://issues.alfresco.com/jira/browse/ALF-22110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2020-8777 – Alfresco 5.2.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-8777
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document. Alfresco Enterprise versiones anteriores a.2.7 y Alfresco Community versiones anteriores a 6.2.0 (rb65251d6-b368), presentan una vulnerabilidad de tipo XSS por medio de una foto de perfil de usuario, como es demostrado por medio de un elemento SCRIPT en un documento SVG. Alfresco version 5.2.4 suffers from multiple persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/48162 http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html https://gitlab.com/snippets/1937042 https://issues.alfresco.com/jira/browse/ALF-22110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2020-8776 – Alfresco 5.2.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-8776
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file. Alfresco Enterprise versiones anteriores a.2.7 y Alfresco Community versiones anteriores a 6.2.0 (rb65251d6-b368), presentan una vulnerabilidad de tipo XSS por medio de la propiedad URL de un archivo. Alfresco version 5.2.4 suffers from multiple persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/48162 http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html https://gitlab.com/snippets/1937042 https://issues.alfresco.com/jira/browse/ALF-22110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19496
https://notcve.org/view.php?id=CVE-2019-19496
Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document. Alfresco Enterprise en versiones anteriores a la 5.2.5 permite un ataque de tipo XSS almacenado mediante un documento HTML cargado. • https://github.com/vipinxsec/Alfresco_XSS/blob/master/README.md https://vipinxsec.blogspot.com/2019/11/alfresco-stored-xss-vulnerability-blind.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •