CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31842
https://notcve.org/view.php?id=CVE-2024-31842
20 Aug 2024 — An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, ... • https://www.gruppotim.it/it/footer/red-team.html • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28806
https://notcve.org/view.php?id=CVE-2024-28806
29 Jul 2024 — An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path. • https://www.gruppotim.it/it/footer/red-team.html • CWE-36: Absolute Path Traversal •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28804
https://notcve.org/view.php?id=CVE-2024-28804
29 Jul 2024 — An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Stored Cross-site scripting (XSS) can occur via POST. • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28805
https://notcve.org/view.php?id=CVE-2024-28805
29 Jul 2024 — An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control. • https://www.gruppotim.it/it/footer/red-team.html • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31847
https://notcve.org/view.php?id=CVE-2024-31847
21 May 2024 — An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization. Se descubrió un problema en Italtel Embrace 1.6.4. Una vulnerabilidad de Cross Site Scripting (XSS) almacenado permite a atacantes remotos autenticados y no autenticados inyectar scripts web o HTML de su elección en un parámetro GET. • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31844
https://notcve.org/view.php?id=CVE-2024-31844
21 May 2024 — An issue was discovered in Italtel Embrace 1.6.4. The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server. An unauthenticated user is able craft specific requests in order to make the application generate an error. Inside an error message, some information about the server is revealed, such as the absolute path of the source code of the application. • https://www.gruppotim.it/it/footer/red-team.html • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31840
https://notcve.org/view.php?id=CVE-2024-31840
21 May 2024 — An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password. Se descubrió un problema en Italtel Embrace 1.6.4. • https://www.gruppotim.it/it/footer/red-team.html • CWE-312: Cleartext Storage of Sensitive Information CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31846
https://notcve.org/view.php?id=CVE-2024-31846
19 Apr 2024 — An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Se descubrió un problema en Italtel Embrace 1.6.4. La aplicación web no restringe o restringe incorrectamente el acceso a un recurso por parte de un actor no autorizado. • https://www.gruppotim.it/it/footer/red-team.html • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31841
https://notcve.org/view.php?id=CVE-2024-31841
19 Apr 2024 — An issue was discovered in Italtel Embrace 1.6.4. The web server fails to sanitize input data, allowing remote unauthenticated attackers to read arbitrary files on the filesystem. Se descubrió un problema en Italtel Embrace 1.6.4. El servidor web no puede sanitizar los datos de entrada, lo que permite a atacantes remotos no autenticados leer archivos arbitrarios en el sistema de archivos. • https://www.gruppotim.it/it/footer/red-team.html • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39813
https://notcve.org/view.php?id=CVE-2022-39813
27 Jan 2023 — Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it. Italtel NetMatch-S CI 5.2.0-20211008 sufre de múltiples problemas XSS reflejados/almacenados en NMSCIWebGui/j_security_... • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •