CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20105
https://notcve.org/view.php?id=CVE-2021-20105
29 Jun 2021 — Machform prior to version 16 is vulnerable to an open redirect in Safari_init.php due to an improperly sanitized 'ref' parameter. Machform anterior a versión 16, es vulnerable a un redireccionamiento abierto en el archivo Safari_init.php debido a un parámetro "ref" saneado inapropiadamente • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20104
https://notcve.org/view.php?id=CVE-2021-20104
29 Jun 2021 — Machform prior to version 16 is vulnerable to unauthenticated remote code execution due to insufficient sanitization of file attachments uploaded with forms through upload.php. Machform anterior a versión 16, es vulnerable a la ejecución de código remota no autenticada debido a un saneamiento insuficiente de los archivos adjuntos cargados con los formularios mediante el archivo upload.php • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20103
https://notcve.org/view.php?id=CVE-2021-20103
29 Jun 2021 — Machform prior to version 16 is vulnerable to stored cross-site scripting due to insufficient sanitization of file attachments uploaded with forms through upload.php. Machform anterior a versión 16, es vulnerable a un ataque de tipo cross-site scripting almacenado debido a un saneamiento insuficiente de los archivos adjuntos cargados con los formularios mediante el archivo upload.php • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20102
https://notcve.org/view.php?id=CVE-2021-20102
29 Jun 2021 — Machform prior to version 16 is vulnerable to cross-site request forgery due to a lack of CSRF tokens in place. Machform anterior a versión 16, es vulnerable a un ataque de tipo cross-site request forgery debido a una falta de tokens CSRF en el sitio • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20101
https://notcve.org/view.php?id=CVE-2021-20101
29 Jun 2021 — Machform prior to version 16 is vulnerable to HTTP host header injection due to improperly validated host headers. This could cause a victim to receive malformed content. Machform anterior a versión 16,, es vulnerable a una inyección de encabezados de host HTTP debido a que los encabezados de host no son comprobados apropiadamente. Esto podría causar que una víctima reciba contenido malformado • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-6411 – MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass
https://notcve.org/view.php?id=CVE-2018-6411
26 May 2018 — An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection. Se ha descubierto un problema en Appnitro MachForm, en versiones anteriores a la 4.2.3. Cuando el formulario se configura para que filtre una lista negra, añade automáticamente extensiones peligrosas a los filtros. • https://packetstorm.news/files/id/147948 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 3CVE-2018-6409 – MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass
https://notcve.org/view.php?id=CVE-2018-6409
26 May 2018 — An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter. Se ha descubierto un problema en Appnitro MachForm, en versiones anteriores a la 4.2.3. El módulo encargado de servir archivos almacenados obtiene la ruta de la base de datos. • https://packetstorm.news/files/id/147948 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-6410 – MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass
https://notcve.org/view.php?id=CVE-2018-6410
26 May 2018 — An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter. Se ha descubierto un problema en Appnitro MachForm, en versiones anteriores a la 4.2.3. Hay una inyección SQL en download.php mediante el parámetro q. Appnitro MachForm suffers from remote file upload, remote SQL injection, and path traversal vulnerabilities. • https://packetstorm.news/files/id/147948 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •