CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45176
https://notcve.org/view.php?id=CVE-2022-45176
10 Jun 2024 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. Stored Cross-site Scripting (XSS) can occur under the /api/v1/getbodyfile endpoint via the uri parameter. The web application (through its vShare functionality section) doesn't properly check parameters, sent in HTTP requests as input, before saving them on the server. In addition, crafted JavaScript content can then be reflected back to the end user and executed by the web browser. • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45168
https://notcve.org/view.php?id=CVE-2022-45168
10 Jun 2024 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP. • https://www.gruppotim.it/it/footer/red-team.html •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45171
https://notcve.org/view.php?id=CVE-2022-45171
28 May 2024 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Unrestricted Upload of a File with a Dangerous Type can occur under the vShare web site section. A remote user, authenticated to the product, can arbitrarily upload potentially dangerous files without restrictions. Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v018. Se puede realizar una carga sin restricciones de un archivo con un tipo peligroso en la sección del sitio web de vShare. • https://www.gruppotim.it/it/footer/red-team.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45169
https://notcve.org/view.php?id=CVE-2022-45169
21 Feb 2024 — An issue was discovered in LIVEBOX Collaboration vDesk through v031. A URL Redirection to an Untrusted Site (Open Redirect) can occur under the /api/v1/notification/createnotification endpoint, allowing an authenticated user to send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link. Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031. Se puede producir una redirección de URL a un sitio que no es de confianza (redir... • https://www.gruppotim.it/it/footer/red-team.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45179
https://notcve.org/view.php?id=CVE-2022-45179
21 Feb 2024 — An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user (authenticated to the product) can store arbitrary HTML code in the reminder section title in order to corrupt the web page (for example, by creating phishing sections to exfiltrate victims' credentials). Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031. Existe un... • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45177
https://notcve.org/view.php?id=CVE-2022-45177
21 Feb 2024 — An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031.... • https://www.gruppotim.it/it/footer/red-team.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-203: Observable Discrepancy •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45170
https://notcve.org/view.php?id=CVE-2022-45170
14 Apr 2023 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Cryptographic Issue can occur under the /api/v1/vencrypt/decrypt/file endpoint. A malicious user, logged into a victim's account, is able to decipher a file without knowing the key set by the user. • https://www.gruppotim.it/it/footer/red-team.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45173
https://notcve.org/view.php?id=CVE-2022-45173
14 Apr 2023 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was successful, an attacker can modify the response, and fool the application into concluding that the TOTP was correct. • https://www.gruppotim.it/it/footer/red-team.html • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45174
https://notcve.org/view.php?id=CVE-2022-45174
14 Apr 2023 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness of the TOTP is not checked properly, and can be bypassed by passing any string as the backup code. • https://www.gruppotim.it/it/footer/red-team.html • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45175
https://notcve.org/view.php?id=CVE-2022-45175
14 Apr 2023 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file. • https://www.gruppotim.it/it/footer/red-team.html • CWE-639: Authorization Bypass Through User-Controlled Key •