Vulnerabilities (CVE)

Filtered by vendor Avantfax Subscribe
Filtered by product Avantfax
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-23328 1 Avantfax 1 Avantfax 2024-02-04 N/A 8.8 HIGH
A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file.
CVE-2023-23327 1 Avantfax 1 Avantfax 2024-02-04 N/A 4.9 MEDIUM
An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls.
CVE-2023-23326 1 Avantfax 1 Avantfax 2024-02-04 N/A 5.4 MEDIUM
A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session.
CVE-2020-11766 2 Avantfax, Ifax 2 Avantfax, Hylafax 2024-02-04 6.5 MEDIUM 8.8 HIGH
sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection.
CVE-2017-18024 1 Avantfax 1 Avantfax 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.