When editing an apartment, an attacker could inject arbitrary SQL commands into the parameter value to cause the system to crash, delete critical data, or leak data. This attack can be prevented by disabling the editid parameter for this and other related endpoints. We have released new versions of the software with patched endpoints that address this issue. An attacker could leverage other injection vectors to exploit this vulnerability.

Apartment Visitor Management System v1.0 was discovered to have a reflected XSS vulnerability via the name parameter at /avms/add-visitor.php.

An attacker could exploit this issue to inject JavaScript code into the requested page to exploit the XSS flaw.

Apartment Visitor Management System v1.0 was discovered to have a reflected XSS vulnerability via the email parameter at /avms/add-visitor.php.

An attacker could exploit this issue to inject JavaScript code into the requested page to exploit the XSS flaw.

Apartment Visitor Management System v1.0 was discovered to have a reflected XSS vulnerability via the phone1 parameter at /avms/edit-visitor.php.

An attacker could exploit this issue to inject JavaScript code into the requested page to exploit the XSS flaw.

Infrastructure and Configuration Best Practices

Look for and disable the mentioned parameters.

Name, email, phone1, id

Timeline

Published on: 09/08/2022 21:15:00 UTC
Last modified on: 09/15/2022 14:08:00 UTC

References