Aggregates CVE and security vulnerability intelligence across all avantfax-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-23328 | A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. | [email protected] | 8.8 | 0.63% | 2023-03-10 | 2025-03-04 |
| CVE-2023-23327 | An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls. | [email protected] | 4.9 | 0.15% | 2023-03-10 | 2025-03-05 |
| CVE-2023-23326 | A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. | [email protected] | 5.4 | 0.75% | 2023-03-10 | 2025-02-27 |
| CVE-2020-11766 | sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection. | [email protected] | 8.8 | 4.36% | 2020-05-19 | 2024-11-21 |
| CVE-2017-18024 | AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. | [email protected] | 6.1 | 8.40% | 2018-01-10 | 2024-11-21 |