Harold Rodriguez

**Name of the Vulnerable Software and Affected Versions** AvantFAX version 3.3.7 **Description** A Stored Cross-Site Scripting (XSS) issue exists, allowing an authenticated low-privilege user to inject arbitrary Javascript into their e-mail address. This code is executed when an administrator logs in to view the admin dashboard, potentially resulting in the theft of an administrator's session cookie and session hijacking. **Recommendations** For AvantFAX version 3.3.7, consider restricting access to the admin dashboard until a fix is available, and avoid using the e-mail address field for any sensitive operations. As a temporary workaround, consider validating and sanitizing user-input data, especially in the e-mail address field, to prevent malicious Javascript injection.

**Name of the Vulnerable Software and Affected Versions** AvantFAX version 3.3.7 **Description** An Information Disclosure issue exists, where backups of sent and received faxes, along with database backups, are stored on the web server without access controls, using the current date as the filename. **Recommendations** For AvantFAX version 3.3.7, consider implementing access controls for the backups stored on the web server to prevent unauthorized access. As a temporary workaround, restrict access to the backup files until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** AvantFAX version 3.3.7 **Description** A File Upload issue exists, allowing an authenticated user to bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. **Recommendations** For AvantFAX version 3.3.7, consider disabling the file upload functionality in FileUpload.php until a patch is available to prevent exploitation. Restrict access to the FileUpload.php module to minimize the risk of uploading specially crafted PHP files.