CVE-2025-55128

The CVE-2025-55128 entry concerns Revive Adserver and a vulnerability in userlog-index.php where an attacker with admin access can send an extremely large setPerPage value, causing uncontrolled resource consumption and potential DoS. The tied HackerOne report explains that the pagination paramete...

Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...

GHSA-8X9V-8QGJ-945X Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...

CVE-2025-64027

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...

CVE-2025-64027

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...

PT-2025-47626

HackerOne community member Dao Hoang Anh yoyomiski has reported an uncontrolled resource consumption vulnerability in the “userlog-index.php”. An attacker with access to the admin interface could request an arbitrarily large number of items per page, potentially leading to a denial of service...

PT-2025-47631

Name of the Vulnerable Software and Affected Versions FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch versions prior to 2.2.0D Build 135103 Description The FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch transmits cookies containing usernames and passwords in cleartext using base64...

CVE-2025-64027

Snipe-IT v8.3.4 (build 20218) contains a reflected XSS in the CSV Import workflow. Affected component is the CSV Import progress_message, which is rendered as raw HTML after uploading an invalid CSV. An attacker who can intercept/modify the POST /livewire/update request can inject arbitrary HTML/...

EUVD-2025-197950

The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...

📄 Snipe-IT 8.3.4 Cross Site Scripting

Snipe-IT version 8.3.4 suffers from a cross site scripting vulnerability. Product Info Snipe-IT is a free and open-source IT asset management system FOSS built on Laravel. It provides hardware asset tracking, software license management, accessories, and consumables inventory features for IT...

CVE-2021-4466 IPCop <= 2.1.9 Authenticated RCE

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAILPW parameter, directly into system-level operations without...

CVE-2025-63717

The change password functionality at /petgrooming/admin/changepass.php in SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross-Site Request Forgery CSRF attacks. The application does not implement adequate anti-CSRF tokens or same-site cookie restrictions, allowing attackers...

CVE-2025-12859

A vulnerability has been found in DedeBIZ up to 6.3.2. This impacts an unknown function of the file /admin/templetsoneedit.php. The manipulation of the argument ids leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used...

CVE-2025-64328 FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the...

CVE-2025-60503

A cross-site scripting XSS vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated...

CVE-2025-60503

A cross-site scripting XSS vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated...

CVE-2025-12610

A vulnerability was determined in CodeAstro Gym Management System 1.0. This affects an unknown part of the file /admin/view-progress-report.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and...

PT-2025-44782

Name of the Vulnerable Software and Affected Versions ultimatefosters UltimatePOS version 4.8 Description A cross-site scripting XSS flaw exists in the administrative interface of the software. Input provided in the purchase functionality is reflected without proper sanitization in the admin log...

Code-Projects Simple Online Hotel Reservation System SQL注入漏洞

Simple Online Hotel Reservation System is a simple online hotel reservation system. Simple Online Hotel Reservation System suffers from a SQL injection vulnerability that originates from the lack of validation of an externally entered SQL statement in the parameter Name in the file...

CVE-2023-7312

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting XSS vulnerability when adding or configuring Email Settings. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affecte...