zucchetti 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk open redirect and vendor risk file inclusion などに関し、一部は vendor impact session compromise を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-61431 | A reflected cross-site scripted (XSS) vulnerability in the /jsp/gsfr_feditorHTML.jsp endpoint of Zucchetti ZMaintenance Infinity and Infinity Zucchetti v4.1 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the pHtmlSource parameter. A vendor fix was released on 2025-06-18. | [email protected] | 6.1 | 0.02% | 2025-11-04 | 2026-02-04 |
| CVE-2025-52180 | Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint. | [email protected] | 6.1 | 0.03% | 2025-10-30 | 2025-12-22 |
| CVE-2024-51322 | Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, /jsp/gsmd_container.jsp components | [email protected] | 5.4 | 0.37% | 2025-03-11 | 2025-06-12 |
| CVE-2024-51321 | In Zucchetti Ad Hoc Infinity 2.4, an improper check on the m_cURL parameter allows an attacker to redirect the victim to an attacker-controlled website after the authentication. | [email protected] | 7.6 | 0.23% | 2025-03-11 | 2025-05-28 |
| CVE-2024-51320 | Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /servlet/gsdm_fsave_htmltmp, /servlet/gsdm_btlk_openfile components | [email protected] | 5.4 | 0.37% | 2025-03-11 | 2025-05-28 |
| CVE-2024-51319 | A local file include vulnerability in the /servlet/Report of Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution by uploading a jsp web/reverse shell through /jsp/zimg_upload.jsp. | [email protected] | 7.3 | 0.57% | 2025-03-11 | 2025-05-28 |
| CVE-2023-42234 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Request Forgery (CSRF) via the WSCView function. | [email protected] | 5.4 | 0.14% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42233 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the Filter/FilterEditor function. | [email protected] | 6.1 | 0.18% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42232 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Navigator/Index function. | [email protected] | 7.5 | 0.64% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42231 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can delete admin users by sending a request to the "WSCView/Delete" function. | [email protected] | 8.1 | 0.15% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42230 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the WSCView/Save function. | [email protected] | 6.1 | 0.24% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42229 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal. Arbitrary files can be created on the system via authenticated SOAP requests to the WSConnector service. | [email protected] | 6.5 | 0.57% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42228 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can edit their own ACL rules by sending a request to the "AclList/SaveAclRules" administrative function. | [email protected] | 8.8 | 0.12% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42227 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the WSCView/Save function. | [email protected] | 7.5 | 0.53% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42226 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via Email/SaveAttachment function. | [email protected] | 7.5 | 0.53% | 2025-01-13 | 2025-04-17 |
| CVE-2023-42225 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Attachment/DownloadTempFile function. | [email protected] | 7.5 | 0.53% | 2025-01-13 | 2025-04-17 |
| CVE-2021-42369 | Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the "Export to CSV" feature of the Contact Manager web GUI. | [email protected] | 9.9 | 0.42% | 2021-10-14 | 2024-11-21 |
| CVE-2019-18207 | In Zucchetti InfoBusiness before and including 4.4.1, an authenticated user can inject client-side code due to improper validation of the Title field in the InfoBusiness Web Component. The payload will be triggered every time a user browses the reports page. | [email protected] | 5.4 | 0.53% | 2019-10-30 | 2024-11-21 |
| CVE-2019-18206 | A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBusiness before and including 4.4.1 allows arbitrary file upload. | [email protected] | 8.8 | 0.18% | 2019-10-30 | 2024-11-21 |
| CVE-2019-18205 | Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Zucchetti InfoBusiness before and including 4.4.1. The browsing component did not properly sanitize user input (encoded in base64). This also applies to the search functionality for the searchKey parameter. | [email protected] | 6.1 | 0.33% | 2019-10-30 | 2024-11-21 |