VYPR
Vendor

Zucchetti

Products
8
CVEs
13
Across products
15
Status
Private

Products

8

Recent CVEs

13
  • CVE-2019-18206HigOct 30, 2019
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBusiness before and including 4.4.1 allows arbitrary file upload.

  • CVE-2019-18204HigOct 30, 2019
    risk 0.57cvss 8.8epss 0.02

    Zucchetti InfoBusiness before and including 4.4.1 allows any authenticated user to upload .php files in order to achieve code execution.

  • CVE-2026-30695MedMar 18, 2026
    risk 0.40cvss 6.1epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the…

  • CVE-2025-52179MedOct 30, 2025
    risk 0.40cvss 6.1epss 0.00

    Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Revolution 4.1 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahrw/jsp/gsfr_feditorHTML.jsp endpoint.

  • CVE-2019-18205MedOct 30, 2019
    risk 0.40cvss 6.1epss 0.01

    Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Zucchetti InfoBusiness before and including 4.4.1. The browsing component did not properly sanitize user input (encoded in base64). This also applies to the search functionality for the searchKey parameter.

  • CVE-2019-18207MedOct 30, 2019
    risk 0.35cvss 5.4epss 0.01

    In Zucchetti InfoBusiness before and including 4.4.1, an authenticated user can inject client-side code due to improper validation of the Title field in the InfoBusiness Web Component. The payload will be triggered every time a user browses the reports page.

  • CVE-2021-47722LowDec 23, 2025
    risk 0.23cvss 3.5epss 0.00

    Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control…

  • CVE-2025-61431Nov 4, 2025
    risk 0.00cvss epss 0.00

    A reflected cross-site scripted (XSS) vulnerability in the /jsp/gsfr_feditorHTML.jsp endpoint of Zucchetti ZMaintenance Infinity and Infinity Zucchetti v4.1 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted…

  • CVE-2025-52180Oct 30, 2025
    risk 0.00cvss epss 0.00

    Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint.

  • CVE-2024-51320Mar 11, 2025
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /servlet/gsdm_fsave_htmltmp, /servlet/gsdm_btlk_openfile components

  • CVE-2024-51321Mar 11, 2025
    risk 0.00cvss epss 0.00

    In Zucchetti Ad Hoc Infinity 2.4, an improper check on the m_cURL parameter allows an attacker to redirect the victim to an attacker-controlled website after the authentication.

  • CVE-2024-51322Mar 11, 2025
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, /jsp/gsmd_container.jsp components

  • CVE-2024-51319Mar 11, 2025
    risk 0.00cvss epss 0.00

    A local file include vulnerability in the /servlet/Report of Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution by uploading a jsp web/reverse shell through /jsp/zimg_upload.jsp.