CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47020
https://notcve.org/view.php?id=CVE-2023-47020
08 Feb 2024 — Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the user to an administrator group. This is exploited by an undisclosed function in the WSDL that lacks security controls and can accept custom content types. El encadenamiento de Multiple Cross-Site Request Forgery (CSRF) en NCR Terminal Handler v.1.5.1 permite que un atacante aumente los privilegios a travé... • https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47020 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47022
https://notcve.org/view.php?id=CVE-2023-47022
06 Feb 2024 — Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection. Un problema en NCR Terminal Handler v.1.5.1 permite a un atacante remoto ejecutar código arbitrario a través de un script manipulado en el parámetro payload. • https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47022 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47024
https://notcve.org/view.php?id=CVE-2023-47024
20 Jan 2024 — Cross-Site Request Forgery (CSRF) in NCR Terminal Handler v.1.5.1 leads to a one-click account takeover. This is achieved by exploiting multiple vulnerabilities, including an undisclosed function in the WSDL that has weak security controls and can accept custom content types. Vulnerabilidad de Cross Site Request Forgery en NCR Terminal Handler v.1.5.1 permite a un atacante remoto obtener información confidencial y escalar privilegios a través de un script manipulado al componente UserSelfService. • https://docs.google.com/document/d/18EOsFghBsAme0b3Obur8Oc6h5xV9zUCNKyQLw5ERs9Q/edit?usp=sharing • CWE-352: Cross-Site Request Forgery (CSRF) •