vfairs 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk sql injection and vendor risk cross-site scripting などに関し、一部は vendor impact session compromise を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2020-26680 | In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page, and this can be abused to perform XSS attacks. | [email protected] | 5.4 | 0.47% | 2021-05-26 | 2024-11-21 |
| CVE-2020-26679 | vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily deter | [email protected] | 4.3 | 0.79% | 2021-05-26 | 2024-11-21 |
| CVE-2020-26678 | vFairs 3.3 is affected by Remote Code Execution. Any user logged in to a vFairs virtual conference or event can abuse the functionality to upload a profile picture in order to place a malicious PHP file on the server and gain code execution. | [email protected] | 8.8 | 2.17% | 2021-05-26 | 2024-11-21 |
| CVE-2020-26677 | Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API. | [email protected] | 8.8 | 1.05% | 2021-05-26 | 2024-11-21 |