8 matches found
CVE-2023-23327
An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls...
CVE-2023-23328
A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file...
CVE-2023-23326
A Stored Cross-Site Scripting XSS vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an...
Unrestricted file upload
A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file...
iFAX AvantFAX 信息泄露漏洞
iFAX AvantFAX is a web application from iFAX Corporation that allows users to view and send faxes on any platform without the need to install special software. A security vulnerability exists in iFAX AvantFAX version 3.3.7, which stems from an information disclosure vulnerability where backups of...
CVE-2023-23326
A Stored Cross-Site Scripting XSS vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an...
CVE-2023-23327
Summary (concrete facts): CVE-2023-23327 affects AvantFAX 3.3.7, where backups of sent/received faxes and database backups are stored on the web server with the current date as filenames and without access controls, enabling potential information disclosure. Multiple connected sources corroborate...
CVE-2023-23326
AvantFAX 3.3.7 contains a Stored Cross-Site Scripting (XSS) vulnerability. An authenticated low-privilege user can inject arbitrary JavaScript into their email address, which is executed when an administrator logs in to view the admin dashboard, potentially enabling theft of the administrator’s s...