CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36992
https://notcve.org/view.php?id=CVE-2023-36992
07 Jul 2023 — PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code. • https://bramdoessecurity.com/travianz-hacked • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36993
https://notcve.org/view.php?id=CVE-2023-36993
07 Jul 2023 — The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an attacker to guess the password reset.parameters and to take over accounts. • https://bramdoessecurity.com/travianz-hacked • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36994
https://notcve.org/view.php?id=CVE-2023-36994
07 Jul 2023 — In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code. • https://bramdoessecurity.com/travianz-hacked • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36995
https://notcve.org/view.php?id=CVE-2023-36995
06 Jul 2023 — TravianZ through 8.3.4 allows XSS via the Alliance tag/name, the statistics page, the link preferences, the Admin Logs, or the COOKUSR cookie. • https://bramdoessecurity.com/travianz-hacked • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •