VYPR

AvantFAX

by AvantFAX

CVEs (6)

  • CVE-2025-1782CriApr 14, 2025
    risk 0.64cvss 9.9epss 0.01

    In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker…

  • CVE-2023-23328HigMar 10, 2023
    risk 0.57cvss 8.8epss 0.01

    A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file.

  • CVE-2020-11766HigMay 19, 2020
    risk 0.57cvss 8.8epss 0.02

    sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection.

  • CVE-2017-18024MedJan 10, 2018
    risk 0.40cvss 6.1epss 0.05

    AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.

  • CVE-2023-23326MedMar 10, 2023
    risk 0.35cvss 5.4epss 0.01

    A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in…

  • CVE-2023-23327MedMar 10, 2023
    risk 0.32cvss 4.9epss 0.01

    An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls.