cbcvebase.

Ponton X P Messenger vulnerabilities

4 known vulnerabilities affecting ponton/x_p_messenger.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2021-45887P2CRITICALCVSS 9.8v3.8.0v3.10.02022-03-13
CVE-2021-45887 [CRITICAL] CWE-22 CVE-2021-45887: An issue was discovered in PONTON X/P Messenger before 3.11.2. Due to path traversal in private/Sche An issue was discovered in PONTON X/P Messenger before 3.11.2. Due to path traversal in private/SchemaSetUpload.do for uploaded ZIP files, an executable script can be uploaded by web application administrators, giving the attacker remote code execution on the underlying server via an imgs/*.jsp URI.
nvd
CVE-2021-45886P3HIGHCVSS 8.8v3.8.0v3.10.02022-03-13
CVE-2021-45886 [HIGH] CWE-352 CVE-2021-45886: An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) can be used to confirm actions of higher-privileged ones (such as xpadmin).
nvd
CVE-2021-45889P4MEDIUMCVSS 5.4v3.8.0v3.10.02022-03-13
CVE-2021-45889 [MEDIUM] CWE-79 CVE-2021-45889: An issue was discovered in PONTON X/P Messenger before 3.11.2. Several functions are vulnerable to r An issue was discovered in PONTON X/P Messenger before 3.11.2. Several functions are vulnerable to reflected XSS, as demonstrated by private/index.jsp?partners/ShowNonLocalPartners.do?localID= or private/index.jsp or private/index.jsp?database/databaseTab.jsp or private/index.jsp?activation/activationMainTab.jsp or private/index.jsp?communication/ser
nvd
CVE-2021-45888P4MEDIUMCVSS 4.8v3.8.0v3.10.02022-03-13
CVE-2021-45888 [MEDIUM] CWE-79 CVE-2021-45888: An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator.
nvd
Ponton X P Messenger vulnerabilities | cvebase