CVE-2022-24573

Element-IT HTTP Commander 7.0.0 is affected by a stored cross-site scripting (XSS) vulnerability in the admin interface. The issue allows unauthenticated attackers to obtain admin access by injecting a malicious script through the User-Agent field. The CVE describes the root cause as a stored XSS...

CVE-2021-40813

CVE-2021-40813 documents a cross-site scripting (XSS) vulnerability in the Zip Content feature of Element-IT HTTP Commander 3.1.9. The issue allows remote authenticated users to inject arbitrary web script or HTML via filenames. Affected software: Element-IT HTTP Commander 3.1.9; vulnerable compo...

CVE-2021-33213

The CVE-2021-33213 entry documents an SSRF in Elements-IT HTTP Commander 5.3.3, specifically in the Upload from URL feature. When authenticated, an attacker can supply an internal address to retrieve HTTP/FTP resources from the internal network, exposing internal resources. Root cause: SSRF in th...

CVE-2021-33211

CVE-2021-33211 affects Elements-IT HTTP Commander 5.3.3, due to a path traversal flaw in the Unzip feature. The vulnerability allows remote authenticated users to write files to arbitrary directories by supplying relative paths inside ZIP archives, enabling potential data impact beyond the intend...

CVE-2021-33212

Elements-IT HTTP Commander 5.3.3 contains a cross-site scripting (XSS) flaw in the "View in Browser"/"Browser View" feature. A remote authenticated user can inject arbitrary script/HTML through a crafted SVG image. Documented impact is XSS with partial integrity impact; no patch/version remediati...