CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48937
https://notcve.org/view.php?id=CVE-2024-48937
11 Oct 2024 — Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed. • https://www.znuny.com •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48938
https://notcve.org/view.php?id=CVE-2024-48938
11 Oct 2024 — Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process. • https://www.znuny.com •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32493
https://notcve.org/view.php?id=CVE-2024-32493
29 Apr 2024 — An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request. Se descubrió un problema en Znuny LTS 6.5.1 a 6.5.7 y Znuny 7.0.1 a 7.0.16 donde un agente conectado puede inyectar SQL en el parámetro ID del formulario borrador de una solicitud AJAX. • https://www.znuny.org/en/advisories/zsa-2024-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32492
https://notcve.org/view.php?id=CVE-2024-32492
29 Apr 2024 — An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript. Se descubrió un problema en Znuny 7.0.1 a 7.0.16 donde la vista de detalles del ticket en el frente del cliente permite la ejecución de JavaScript externo. • https://www.znuny.org/en/advisories/zsa-2024-02 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32491
https://notcve.org/view.php?id=CVE-2024-32491
29 Apr 2024 — An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server. Se descubrió un problema en Znuny y Znuny LTS 6.0.31 a 6.5.7 y Znuny 7.0.1 a 7.0.16 donde un usuario que inició sesión puede cargar un archivo (a través de una solicitud AJAX manipulada) a u... • https://www.znuny.org/en/advisories/zsa-2024-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •