Terminalfour

terminalfour

Vendor: Terminalfour • 6 CVEs

CVEs (6)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-58386 1Terminalfour 1Terminalfour Dec 19, 2025 Dec 2, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Adm...Show more In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it.Show less
CVE-2024-22217 1Terminalfour 1Terminalfour Mar 24, 2025 Aug 15, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A Server-Side Request Forgery (SSRF) vulnerability in Terminalfour before 8.3.19 allows authenticated users to use specific features to access internal services including sensitive information on the server that Terminal...Show more A Server-Side Request Forgery (SSRF) vulnerability in Terminalfour before 8.3.19 allows authenticated users to use specific features to access internal services including sensitive information on the server that Terminalfour runs on.Show less
CVE-2024-22220 1Terminalfour 2Formbank Terminalfour May 8, 2025 Feb 21, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The...Show more An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview.Show less
CVE-2023-29484 1Terminalfour 1Terminalfour Nov 21, 2024 Oct 16, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 In Terminalfour before 8.3.16, misconfigured LDAP users are able to login with an invalid password.
CVE-2023-23591 1Terminalfour 1Terminalfour Feb 10, 2025 Apr 12, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 The Logback component in Terminalfour before 8.3.14.1 allows OS administrators to obtain sensitive information from application server logs when debug logging is enabled. The fixed versions are 8.2.18.7, 8.2.18.2.2, 8.3....Show more The Logback component in Terminalfour before 8.3.14.1 allows OS administrators to obtain sensitive information from application server logs when debug logging is enabled. The fixed versions are 8.2.18.7, 8.2.18.2.2, 8.3.11.1, and 8.3.14.1.Show less
CVE-2022-30770 1Terminalfour 1Terminalfour Nov 21, 2024 May 16, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Terminalfour versions 8.3.7, 8.3.x versions prior to version 8.3.8 and r 8.2.x versions prior to version 8.2.18.5 or 8.2.18.2.1 are vulnerable to (XSS) vulnerability that could be exploited by an attacker to mislead an a...Show more Terminalfour versions 8.3.7, 8.3.x versions prior to version 8.3.8 and r 8.2.x versions prior to version 8.2.18.5 or 8.2.18.2.1 are vulnerable to (XSS) vulnerability that could be exploited by an attacker to mislead an administrator and steal their credentials.Show less