Chapman Schleiss

#16016of 53,633
16.8Total CVSS
Vulnerabilities · 3
Medium
3
PT-2024-28037
5.4
2024-06-10
Uniview · Uniview Nvr301-04S2-P4 · CVE-2024-3850
**Name of the Vulnerable Software and Affected Versions** Uniview NVR301-04S2-P4 **Description** The issue is related to a reflected cross-site scripting attack (XSS), where an attacker could send a user a URL that, if clicked, could execute malicious JavaScript in their browser. This issue requires authentication before it can be exploited, limiting its scope and severity. Even if JavaScript is executed, no additional benefits are obtained for the attacker. **Recommendations** For Uniview NVR301-04S2-P4, consider disabling access to potentially vulnerable API endpoints until a patch is available. Restrict access to sensitive areas of the application that may be susceptible to XSS attacks. Avoid using links from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2020-13807
6.1
2020-12-23
Crk · Crk Business Platform · CVE-2020-13969
**Name of the Vulnerable Software and Affected Versions** CRK Business Platform versions <= 2019.1 **Description** The issue allows reflected XSS via the erro.aspx page, specifically through the `CRK`, `IDContratante`, `Erro`, or `Mod` parameters. This vulnerability is path-independent. **Recommendations** For CRK Business Platform versions <= 2019.1, consider restricting access to the erro.aspx page or disabling the `CRK`, `IDContratante`, `Erro`, and `Mod` parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2018-6726
5.3
2018-02-26
Concrete5 · Concrete5 · CVE-2017-18195
Name of the Vulnerable Software and Affected Versions: Concrete5 versions prior to 8.3.0 Description: An issue was discovered in tools/conversations/view ajax.php. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to "/index.php/tools/required/conversations/view ajax" with incremental `cnvID` integers. Recommendations: For versions prior to 8.3.0, update to version 8.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/index.php/tools/required/conversations/view ajax" endpoint to prevent unauthorized comment enumeration.