13 matches found
CVE-2022-45179
LIVEBOX Collaboration vDesk (through v031) has a basic XSS vulnerability in the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter, and in /dashboard/reminders. A remote authenticated user can inject arbitrary HTML into the reminder title, potentially corrupting the pag...
CVE-2022-45169
CVE-2022-45169 affects LIVEBOX Collaboration vDesk (through v031). It describes an Open Redirect: an authenticated user can trigger a URL redirection via /api/v1/notification/createnotification to send a push notification to another user that can include an invisible clickable link. Reported metr...
CVE-2022-45177
LIVEBOX Collaboration vDesk (through v031) is affected. A vulnerability described as an Observable Response Discrepancy occurs on /api/v1/vdeskintegration/user/isenableuser, /api/v1/sharedsearch?search={NAME]+{SURNAME], and /login, where the web app reveals internal state information to unauthori...
CVE-2022-45180
CVE-2022-45180 affects LIVEBOX Collaboration vDesk (through v018) with Broken Access Control at the /api/v1/vdesk_{DOMAIN]/export endpoint. A user authenticated to the product without special privileges can export information for all users, a function intended for administrators. Public reference...
CVE-2022-45173
CVE-2022-45173 affects LIVEBOX Collaboration vDesk (vDesk) through v018. The flaw allows bypassing Two-Factor Authentication by tampering with the response at /api/v1/vdeskintegration/challenge, since client-side verification can be bypassed. Impact is high (CVE indicates full confidentiality, in...
CVE-2022-45175
The vulnerability CVE-2022-45175 affects LIVEBOX Collaboration vDesk through v018. The issue is an Insecure Direct Object Reference in the endpoint 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket, allowing an unauthenticated attacker to access cached files in the OnlyOffice backend of other users by gu...
CVE-2022-45176
CVE-2022-45176 affects LIVEBOX Collaboration vDesk through v018. The issue is a stored Cross-site Scripting (XSS) vulnerability at the endpoint /api/v1/getbodyfile, triggered by the input parameter uri . The web application does not properly validate parameters before saving them on the server, a...
CVE-2022-45168
LIVEBOX Collaboration vDesk (v018 and prior) is affected by CVE-2022-45168. The issue allows bypassing two-factor authentication by generating or regenerating backup codes at the endpoints /login/backup_code and /api/v1/vdeskintegration/createbackupcodes before the TOTP check is performed. Root c...
CVE-2022-45171
CVE-2022-45171 affects LIVEBOX Collaboration vDesk (through v018). The issue is an Unrestricted Upload of a File with a Dangerous Type in the vShare web site section, allowing an authenticated remote user to upload potentially dangerous files without restrictions. The cited sources (NVD/Red Hat e...
CVE-2022-45174
CVE-2022-45174 affects LIVEBOX Collaboration vDesk versions through v018. The issue allows bypassing Two-Factor Authentication for SAML users via /login/backup_code and /api/v1/vdeskintegration/challenge, by supplying a non-validated backup code, due to improper TOTP verification. Documents descr...
CVE-2022-45172
LIVEBOX Collaboration vDesk (pre-v018) is affected by a Broken Access Control issue caused by flaws in authorization logic. The vulnerability enables a malicious user with no privileges to escalate to administrator and access other user accounts via three endpoints: /api/v1/registration/validateE...
CVE-2022-45170
CVE-2022-45170 affects LIVEBOX Collaboration vDesk (pre-v018) via the endpoint /api/v1/vencrypt/decrypt/file. A malicious user, already logged into a victim’s account, can decipher a file without the user’s key, revealing a cryptographic issue impacting confidentiality. The current sources descri...
CVE-2022-45178
The CVE-2022-45178 entry concerns LIVEBOX Collaboration vDesk v018 and earlier, where a Broken Access Control flaw exists in multiple endpoints: /api/v1/vdeskintegration/saml/user/createorupdate, /settings/guest-settings, /settings/samlusers-settings, and /settings/users-settings. A logged-in SAM...