Open-School 3.0 / Community Edition 2.3 Cross Site Scripting

Exploit Title: title Date: 2019 08 06 Exploit Author: Greg.Priest Vendor Homepage: https://open-school.org/ Software Link: Version: Open-School 3.0/Community Edition 2.3 Tested on: Windows/Linux CVE : CVE-2019-14696 Open-School 3.0, and Community Edition 2.3, allows XSS via the...

Default credentials

Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATHINFO...

CVE-2019-13978

Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request...

CVE-2019-13977

index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=...

Sql injection

Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request...

CVE-2019-13978

Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request...

CVE-2019-13977

index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=...

CVE-2019-13977

CVE-2019-13977 affects Ovidentia 8.4.3: index.php is vulnerable to cross-site scripting via multiple tg parameters (e.g., tg=groups, tg=maildoms&idx=create, tg=site&item=4, etc.). Affected component is the index.php entry point of Ovidentia 8.4.3; root cause reported is lack of proper validation/...

Cross site scripting

index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored XSS via a reply to a comment...

CVE-2019-1010028

phpscriptsmall.com School College Portal with ERP Script 2.6.1 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attack administrators and teachers, students and more. The component is: /pro-school/index.php?student/message/sendreply/. The attack vector is:...

CVE-2019-13396

FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the forminclude parameter in an index.php?q=system-handle-form-submit POST request because of an includeonce in systemhandleformsubmit in modules/system/system.module...

CVE-2019-13472

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file...

Cross site scripting

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file...

CVE-2019-13472

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file...

CVE-2019-13472

CVE-2019-13472 affects PHPWind 9.1.0. The vulnerability is an XSS issue in the index.php file, specifically in the c and m parameters. The connected documents confirm these are cross-site scripting vulnerabilities but do not provide exploitation details, affected versions beyond 9.1.0, or remedia...

CVE-2018-11227

Monstra CMS 3.0.4 and earlier has XSS via index.php...

CVE-2018-11227

Monstra CMS 3.0.4 and earlier has XSS via index.php...

CVE-2018-11227

Summary (CVE-2018-11227) : Monstra CMS ≤3.0.4 is affected by a Cross‑Site Scripting (XSS) vulnerability via index.php. An attacker can inject arbitrary script in the browser of users visiting the affected site, potentially stealing cookie‑based authentication credentials and enabling further brow...

FreePBX Backup Module Command Injection Vulnerability

FreePBX formerly known as Asterisk Management Portal is a set of tools from the FreePBX project for configuring Asterisk IP telephony system through a GUI web-based graphical interface. A command injection vulnerability exists in the app/backup/index.php file of the Backup module in FreePBX versi...

CVE-2018-19465

Maccms through 8.0 allows XSS via the sitekeywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/systemconfig.html, related to template/paody/html/vodindex.html...