AvantFAX 3.3.3 - Cross-Site Scripting

AvantFAX 3.3.3 contains a cross-site scripting vulnerability via an arbitrary parameter name submitted to the default URL, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. id: CVE-2017-18024 info: name: AvantFAX 3.3.3 - Cross-Site Scripting author: pikpikc...

EUVD-2017-9164

Malware in sbrugna...

EUVD-2023-27428

Malicious code in bioql PyPI...

EUVD-2023-27427

Malicious code in bioql PyPI...

CVE-2023-23326

A Stored Cross-Site Scripting XSS vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an...

CVE-2023-23328

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file...

CVE-2025-1782 Unsanitized input in language form field

In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated...

CVE-2025-1782

CVE-2025-1782 affects HylaFAX Enterprise Web Interface and AvantFAX. The vulnerability arises from an unsanitized language form element that can be abused to include an arbitrary file in PHP code, enabling an authenticated attacker to perform actions as the web server user. The available document...

CVE-2023-23326

A Stored Cross-Site Scripting XSS vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an...

CVE-2023-23327

An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls...

CVE-2023-23328

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file...

Cross site scripting

A Stored Cross-Site Scripting XSS vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an...

Information disclosure

An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls...

CVE-2023-23328

The CVE-2023-23328 issue affects AvantFAX 3.3.7 where an authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file, enabling a file upload vulnerability with likely high impact to confidentiality, integrity, and availability per reported CV...

CVE-2023-23327

An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls...

CVE-2023-23328

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file...

CVE-2023-23328

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file...

Endless Group: XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)

Summary: Hello Endless Hosting, I found an XSS on https://fax.pbx.itsendless.org/ . This domain running an AvantFax software 3.3.6 However, the exploit of CVE-2017-18024 for version 3.3.3 is working on that version. Here is the exploit code of CVE-2017-18024 history.pushState'', '', '/'...

CVE-2017-18024

AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1...

CVE-2017-18024

AvantFAX 3.3.3 is affected by a cross-site scripting (XSS) vulnerability in the web UI: an arbitrary parameter name passed to the default URI can include a SCRIPT tag, enabling arbitrary JavaScript in the victim’s browser. Impact includes potential session hijacking, defacement, or data leakage a...