Aggregates CVE and security vulnerability intelligence across all nchsoftware-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2021-37456 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored). | [email protected] | 5.4 | 0.59% | 2021-07-25 | 2026-06-17 |
| CVE-2021-37455 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored). | [email protected] | 5.4 | 0.59% | 2021-07-25 | 2026-06-17 |
| CVE-2021-37454 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored). | [email protected] | 5.4 | 0.59% | 2021-07-25 | 2026-06-17 |
| CVE-2021-37453 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the extension name (stored). | [email protected] | 5.4 | 0.59% | 2021-07-25 | 2026-06-17 |
| CVE-2021-37451 | Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected). | [email protected] | 5.4 | 0.62% | 2021-07-25 | 2026-06-17 |
| CVE-2021-37450 | Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected). | [email protected] | 5.4 | 0.59% | 2021-07-25 | 2026-06-17 |
| CVE-2020-13476 | NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module. | [email protected] | 4.8 | 0.68% | 2020-12-28 | 2026-06-16 |
| CVE-2020-13474 | In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users. | [email protected] | 6.5 | 0.75% | 2020-12-28 | 2026-06-16 |
| CVE-2020-13473 | NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file. | [email protected] | 5.5 | 0.29% | 2020-12-28 | 2026-06-16 |
| CVE-2020-11560 | NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. | [email protected] | 7.8 | 1.04% | 2020-04-07 | 2026-06-16 |
| CVE-2020-11561 | In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen. | [email protected] | 8.8 | 2.21% | 2020-04-07 | 2026-06-16 |
| CVE-2019-16330 | In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript. | [email protected] | 5.4 | 0.58% | 2019-10-17 | 2026-06-16 |
| CVE-2019-16282 | In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript. | [email protected] | 5.4 | 0.58% | 2019-10-14 | 2026-06-16 |
| CVE-2010-5220 | Untrusted search path vulnerability in MEO Encryption Software 2.02 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory, as demonstrated by a directory that contains a .meo or .cry file. NOTE: some of these details are obtained from third party information. | [email protected] | 6.9 | 0.36% | 2012-09-06 | 2026-06-16 |