CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25155 – Reflected Cross-Site Scripting (XSS) in FileCatalyst Direct 3.8.8 and earlier
https://notcve.org/view.php?id=CVE-2024-25155
13 Mar 2024 — In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag. En FileCatalyst Direct 3.8.8 y versiones anteriores hasta 3.8.6, el servidor web no sanitiza adecuadamente los caracteres ilegales en una URL que luego se muestra en una página de error posterior. Un actor malicioso podría crear un... • https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25154 – Path Traversal in FileCatalyst Direct 3.8.8 and Earlier
https://notcve.org/view.php?id=CVE-2024-25154
13 Mar 2024 — Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage. Una validación de URL incorrecta provoca un path traversal en FileCatalyst Direct 3.8.8 y versiones anteriores, lo que permite que un payload codificado haga que el servidor web devuelva archivos ubicados fuera de la raíz web, lo que puede provocar una fuga de datos. • https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •