CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45179
https://notcve.org/view.php?id=CVE-2022-45179
An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user (authenticated to the product) can store arbitrary HTML code in the reminder section title in order to corrupt the web page (for example, by creating phishing sections to exfiltrate victims' credentials). Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031. Existe una vulnerabilidad XSS básica en el endpoint /api/v1/vdeskintegration/todo/createorupdate a través del parámetro title y /dashboard/reminders. • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45177
https://notcve.org/view.php?id=CVE-2022-45177
An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031. • https://www.gruppotim.it/it/footer/red-team.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-203: Observable Discrepancy •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45169
https://notcve.org/view.php?id=CVE-2022-45169
An issue was discovered in LIVEBOX Collaboration vDesk through v031. A URL Redirection to an Untrusted Site (Open Redirect) can occur under the /api/v1/notification/createnotification endpoint, allowing an authenticated user to send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link. Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031. Se puede producir una redirección de URL a un sitio que no es de confianza (redirección abierta) en el endpoint /api/v1/notification/createnotification, lo que permite a un usuario autenticado enviar una notificación push arbitraria a cualquier otro usuario del sistema. • https://www.gruppotim.it/it/footer/red-team.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45170
https://notcve.org/view.php?id=CVE-2022-45170
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Cryptographic Issue can occur under the /api/v1/vencrypt/decrypt/file endpoint. A malicious user, logged into a victim's account, is able to decipher a file without knowing the key set by the user. • https://www.gruppotim.it/it/footer/red-team.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45174
https://notcve.org/view.php?id=CVE-2022-45174
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness of the TOTP is not checked properly, and can be bypassed by passing any string as the backup code. • https://www.gruppotim.it/it/footer/red-team.html • CWE-287: Improper Authentication •