This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Zend First view 2013-12-27
Product Zendto Last view 2021-03-02
Version 3.62 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:zend:zendto

Activity : Overall

Related : CVE

  Date Alert Description
6.1 2021-03-02 CVE-2021-27888

ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters.
9.8 2020-03-24 CVE-2020-8986

lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests.
8.8 2020-03-24 CVE-2020-8985

ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality.
7.5 2020-03-24 CVE-2020-8984

lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header.
6.1 2018-12-20 CVE-2018-1000841

Zend.To version Prior to 5.15-1 contains a Cross Site Scripting (XSS) vulnerability in The verify.php page that can result in An attacker could execute arbitrary Javascript code in the context of the victim's browser.. This attack appear to be exploitable via HTTP POST request. This vulnerability appears to have been fixed in 5.16-1 Beta.
4.3 2013-12-27 CVE-2013-6808

Cross-site scripting (XSS) vulnerability in lib/NSSDropoff.php in ZendTo before 4.11-13 allows remote attackers to inject arbitrary web script or HTML via a modified emailAddr field to pickup.php.

CWE : Common Weakness Enumeration

%idName
57% (4) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
14% (1) CWE-754 Improper Check for Unusual or Exceptional Conditions
14% (1) CWE-352 Cross-Site Request Forgery (CSRF)
14% (1) CWE-346 Origin Validation Error