CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28143 – Insecure Password Change Function
https://notcve.org/view.php?id=CVE-2024-28143
The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-620: Unverified Password Change •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28146 – Hardcoded credentials
https://notcve.org/view.php?id=CVE-2024-28146
The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-798: Use of Hard-coded Credentials •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50584 – SQL Injection
https://notcve.org/view.php?id=CVE-2024-50584
An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28145 – Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-28145
An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are vulnerable. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36498 – Stored cross site scripting
https://notcve.org/view.php?id=CVE-2024-36498
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. Version 7.40 implemented a fix, but it could be bypassed via URL-encoding the Javascript payload again. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •