CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0424 – Multiple Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-0424
18 Feb 2025 — In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple authenticated stored cross-site scripting vulnerabilities. An authenticated attacker is able to compromise the sessions of other users on the server by injecting JavaScript code into their session using an "Authenticated Stored Cross-Site Scripting". Those other users might have more privileges than the attacker, enabling a form of horizontal movement. In the "bestinformed Web" application, some user in... • https://www.cordaware.com/changelog/en/version-6_4_0_4-release-13_02_2025.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0423 – Multiple Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-0423
18 Feb 2025 — In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple unauthenticated stored cross-site scripting vulnerabilities. An unauthenticated attacker is able to compromise the sessions of users on the server by injecting JavaScript code into their session using an "Unauthenticated Stored Cross-Site Scripting". The attacker is then able to ride the session of those users and can abuse their privileges on the "bestinformed Web" application. In the "bestinformed Web... • https://www.cordaware.com/changelog/en/version-6_4_0_4-release-13_02_2025.html • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0422 – Authenticated Remote Code Execution via ScriptVar
https://notcve.org/view.php?id=CVE-2025-0422
18 Feb 2025 — An authenticated user in the "bestinformed Web" application can execute commands on the underlying server running the application. (Remote Code Execution) For this, the user must be able to create "ScriptVars" with the type „script" and preview them by, for example, creating a new "Info". By default, admin users have those permissions, but with the granular permission system, those permissions may be assigned to other users. An attacker is able to execute commands on the server running the "bestinformed Web... • https://www.cordaware.com/changelog/en/version-6_4_0_4-release-13_02_2025.html • CWE-20: Improper Input Validation •