CVE-2026-34408
- EPSS 0.26%
- Veröffentlicht 05.05.2026 14:16:08
- Zuletzt bearbeitet 06.05.2026 18:16:03
An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.
CVE-2024-23759
- EPSS 47.83%
- Veröffentlicht 12.02.2024 22:15:08
- Zuletzt bearbeitet 07.05.2025 21:16:02
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.
CVE-2024-23760
- EPSS 0.44%
- Veröffentlicht 12.02.2024 22:15:08
- Zuletzt bearbeitet 28.03.2025 23:15:17
Cleartext Storage of Sensitive Information in Gambio 4.9.2.0 allows attackers to obtain sensitive information via error-handler.log.json and legacy-error-handler.log.txt under the webroot.
CVE-2024-23761
- EPSS 0.66%
- Veröffentlicht 12.02.2024 22:15:08
- Zuletzt bearbeitet 21.11.2024 08:58:20
Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template.
CVE-2024-23762
- EPSS 0.32%
- Veröffentlicht 12.02.2024 22:15:08
- Zuletzt bearbeitet 18.03.2025 20:15:21
Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file.
CVE-2024-23763
- EPSS 0.63%
- Veröffentlicht 12.02.2024 22:15:08
- Zuletzt bearbeitet 07.05.2025 21:16:02
SQL Injection vulnerability in Gambio through 4.9.2.0 allows attackers to run arbitrary SQL commands via crafted GET request using modifiers[attribute][] parameter.