This issue results because thread_id in the password settings is not verified before being used. This can result in an attacker gaining root privileges. The iaware module has an XSS (cross-site scripting) vulnerability. An attacker can inject malicious code into a website and force users to click on it. Since XSS is a type of CSRF (cross-site request forgery), an attacker can also hijack a user session.

There is a RCE (remote code execution) vulnerability in a function called get_user_details(). This function is used to retrieve a user’s details and data. An attacker can exploit this vulnerability to download additional code for the operating system or to install software or change settings.

------------- Summary of vulnerabilities --------------


There are four vulnerabilities in total. Three of the vulnerabilities are XSS and one is RCE. The XSS vulnerabilities can be exploited by an attacker to inject malicious code into a website or hijack a user’s session. An attacker could also cause a user’s device to download additional code for the operating system or install software or change settings.

Iaware CVEs

There is a RCE vulnerability in a function called get_user_details(). This function is used to retrieve a user’s details and data. An attacker can exploit this vulnerability to download additional code for the operating system or to install software or change settings.

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/14/2022 19:15:00 UTC

References