Harold Rodriguez

3 exploits Active since Mar 2023
CVE-2023-23326 WRITEUP MEDIUM WRITEUP
AvantFAX 3.3.7 - Authenticated Stored Cross-Site Scripting via Email Address Field
A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session.
CVSS 5.4
CVE-2023-23327 WRITEUP MEDIUM WRITEUP
AvantFAX 3.3.7 - Unauthenticated Exposure of Sensitive Information via Backup Files
An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls.
CVSS 4.9
CVE-2023-23328 WRITEUP HIGH WRITEUP
AvantFAX 3.3.7 - Authenticated Unrestricted PHP File Upload via FileUpload.php
A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file.
CVSS 8.8