CVE-2015-5595

Cross-site request forgery CSRF vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service resource consumption...

CVE-2016-1000028

Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. Tenable ID 5198...

CVE-2016-1000029

Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins Tenable IDs 5218 and 5269...

CVE-2016-1000028

CVE-2016-1000028 : A stored XSS in Tenable Nessus prior to 6.8 affects the Nessus UI. The issue requires authentication (admin-level access) and could potentially impact other admins. Affected software is Nessus 6.x before 6.8; root cause relates to improper input filtering in UI handling. The co...

CVE-2019-18647

The Untangle NG firewall 14.2.0 is vulnerable to an authenticated command injection when logged in as an admin user...

Cross site request forgery (csrf)

An issue was discovered in fastadmin 1.0.0.20190705beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability...

CVE-2019-17431

An issue was discovered in fastadmin 1.0.0.20190705beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability...

CVE-2019-14252

An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if remove...

Design/Logic Flaw

An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if remove...

CVE-2019-5980

Cross-site request forgery CSRF vulnerability in Related YouTube Videos versions prior to 1.9.9 allows remote attackers to hijack the authentication of administrators via unspecified vectors...

Cisco Integrated Management Controller Operating System Command Injection Vulnerability

Cisco Integrated Management Controller IMC is a set of software from the American company Cisco Cisco for the management of UCS Unified Computing System. The software supports HTTP, SSH access, etc., and can perform operations such as powering on, powering off and rebooting the server. An operati...

CVE-2018-16248

b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request...

CVE-2018-16249

In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated us...

Cisco Industrial Network Director Remote Code Execution Vulnerability

Cisco Industrial Network Director IND is designed to help operations teams gain a comprehensive understanding of the automated network to improve system availability and increase overall equipment effectiveness OEE. A remote code execution vulnerability exists in the software update feature of...

CVE-2019-5924

Cross-site request forgery CSRF vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page...

CVE-2019-5924

Cross-site request forgery CSRF vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page...

Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Booked Scheduler v2.7.5 - Remote Command Execution', 'Description' = %q This module exploits a file upload vulnerability Booked 2.7.5. In the "Loo...

CVE-2018-19927

Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zFormsavechanges sipnick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases...

phptpoint Hospital Management System 1.0 - 'user' SQL injection

Exploit Title: phptpoint Hospital Management System 1.0 - 'user' SQL injection Date: 2018-10-24 Exploit Author: Boumediene KADDOUR Unit: Algerie Telecom R&D Unit Vendor Homepage: https://www.phptpoint.com/ Software Link: Version: 1 Tested on: WAMP windows 10 x64 CVE: unknown Description: Phptpoin...

PHPTPoint Hospital Management System 1 SQL Injection Vulnerability

Exploit for php platform in category web applications Exploit Title: phptpoint hospital management system Multiple SQL injection Exploit Author: Boumediene KADDOUR Unit: Algerie Telecom R&D Unit Vendor Homepage: https://www.phptpoint.com/ Software Link:...