Embrace

embrace

Vendor: Italtel • 8 CVEs

CVEs (8)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-31842 1Italtel 1Embrace Oct 29, 2024 Aug 20, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed th...Show more An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover.Show less
CVE-2024-31843 1Italtel 1Embrace May 21, 2025 May 23, 2024 N/A· v4 4.1 MEDIUM· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows authenticated users to execute commands...Show more An issue was discovered in Italtel Embrace 1.6.4. The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows authenticated users to execute commands on the Operating System.Show less
CVE-2024-31847 1Italtel 1Embrace Mar 13, 2025 May 21, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. T...Show more An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization.Show less
CVE-2024-31845 1Italtel 1Embrace May 21, 2025 May 21, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parame...Show more An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication.Show less
CVE-2024-31844 1Italtel 1Embrace Mar 13, 2025 May 21, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server. An unauthenticated user is able craft s...Show more An issue was discovered in Italtel Embrace 1.6.4. The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server. An unauthenticated user is able craft specific requests in order to make the application generate an error. Inside an error message, some information about the server is revealed, such as the absolute path of the source code of the application. This kind of information can help an attacker to perform other attacks against the system. This can be exploited without authentication.Show less
CVE-2024-31840 1Italtel 1Embrace Mar 14, 2025 May 21, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access...Show more An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password.Show less
CVE-2024-31846 1Italtel 1Embrace May 21, 2025 Apr 19, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-31841 1Italtel 1Embrace May 21, 2025 Apr 19, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The web server fails to sanitize input data, allowing remote unauthenticated attackers to read arbitrary files on the filesystem.