lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests.
Max CVSS
9.8
EPSS Score
0.22%
Published
2020-03-24
Updated
2020-03-27
ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality.
Max CVSS
8.8
EPSS Score
0.07%
Published
2020-03-24
Updated
2020-03-27
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header.
Max CVSS
7.5
EPSS Score
0.09%
Published
2020-03-24
Updated
2020-03-27
3 vulnerabilities found