CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 1CVE-2023-23326
https://notcve.org/view.php?id=CVE-2023-23326
10 Mar 2023 — A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. • http://avantfax.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23327
https://notcve.org/view.php?id=CVE-2023-23327
10 Mar 2023 — An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls. • http://avantfax.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23328
https://notcve.org/view.php?id=CVE-2023-23328
10 Mar 2023 — A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. • http://avantfax.com • CWE-434: Unrestricted Upload of File with Dangerous Type •