CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36993
https://notcve.org/view.php?id=CVE-2023-36993
The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an attacker to guess the password reset.parameters and to take over accounts. • https://bramdoessecurity.com/travianz-hacked • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36992
https://notcve.org/view.php?id=CVE-2023-36992
PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code. • https://bramdoessecurity.com/travianz-hacked • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36994
https://notcve.org/view.php?id=CVE-2023-36994
In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code. • https://bramdoessecurity.com/travianz-hacked • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36995
https://notcve.org/view.php?id=CVE-2023-36995
TravianZ through 8.3.4 allows XSS via the Alliance tag/name, the statistics page, the link preferences, the Admin Logs, or the COOKUSR cookie. • https://bramdoessecurity.com/travianz-hacked • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •