Lyf123Lyf

#12201of 53,630
22.4Total CVSS
Vulnerabilities · 4
Medium
4
PT-2022-19758
6.1
2022-05-31
Ofcms · Ofcms · CVE-2022-29653
**Name of the Vulnerable Software and Affected Versions** OFCMS version 1.1.4 **Description** A cross-site scripting (XSS) issue was found in OFCMS. The vulnerability is exploited via the `/admin/comn/service/update.json` API endpoint. **Recommendations** For OFCMS version 1.1.4, as a temporary workaround, consider restricting access to the `/admin/comn/service/update.json` API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-18720
5.5
2022-04-10
Ofcms · Ofcms · CVE-2022-27960
**Name of the Vulnerable Software and Affected Versions** OFCMS version 1.1.4 **Description** The issue is related to insecure permissions configured in the `user id` parameter at `SysUserController.java`, allowing attackers to access and arbitrarily modify users' personal information. **Recommendations** For OFCMS version 1.1.4, consider restricting access to the `SysUserController.java` to minimize the risk of exploitation. Avoid using the `user id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-18721
5.4
2022-04-10
Ofcms · Ofcms · CVE-2022-27961
**Name of the Vulnerable Software and Affected Versions** OFCMS version 1.1.4 **Description** A cross-site scripting (XSS) issue exists, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Comment` text box at the "/ofcms/company-c-47" API endpoint. **Recommendations** For OFCMS version 1.1.4, as a temporary workaround, consider disabling the comment functionality or restricting access to the "/ofcms/company-c-47" endpoint until a patch is available. Avoid using the `Comment` text box in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-17930
5.4
2022-03-20
Eova · Eova · CVE-2022-26555
**Name of the Vulnerable Software and Affected Versions** Eova version 1.6.0 **Description** A stored cross-site scripting issue in the Add a Button function allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `button name` text box. **Recommendations** For Eova version 1.6.0, as a temporary workaround, consider disabling the Add a Button function until a patch is available. Restrict access to the button name text box to minimize the risk of exploitation. Avoid using the `button name` text box in the affected function until the issue is resolved.