Employee Record Management System 1.0 SQL Injection

============================================================================================================================================= | Title : ERMS Project 1.0 Auth By Pass Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 129.0.1 64 bits |...

CVE-2024-42816

A cross-site scripting XSS vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter...

CVE-2024-3282 WP Table Builder <= 1.5.0 - Admin+ Stored XSS

The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-39717

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. Tenant level users do not have this privilege. The “Change Favicon” Favorite Icon...

CVE-2024-8071 System Role with edit access to permissions can elevate themselves to system admin

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...

CVE-2024-42768

A Cross-Site Request Forgery CSRF vulnerability was found in Kashipara Hotel Management System v1.0 via /admin/deleteroom.php...

CVE-2024-42776

Kashipara Hotel Management System v1.0 is affected by an Incorrect Access Control vulnerability exploitable via /admin/users.php. The CVE describes unauthorized access with network attack vector, requiring high privileges, and with no user interaction, potentially impacting confidentiality, integ...

CVE-2024-42767

CVE-2024-42767 affects Kashipara Hotel Management System v1.0, with an Unrestricted File Upload vulnerability enabling Remote Code Execution through /admin/add_room_controller.php. Public sources consistently describe the flaw as a lack of validation of uploaded files, allowing an attacker to upl...

CVE-2024-42776

Kashipara Hotel Management System v1.0 is vulnerable to Incorrect Access Control via /admin/users.php...

CVE-2024-42557

A Cross-Site Request Forgery CSRF in the component adminmodifyroom.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges...

CVE-2024-42608

Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability via /admin/submitpage.php...

GHSA-WCG9-PGQV-XM5V XWiki Platform allows XSS through XClass name in string properties

Impact Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. Reproduction steps 1. As a user without script or programming right, create a non-terminal document...

CVE-2024-44069

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value Celsius, Fahrenheit,...

CVE-2024-44069

Pi-hole prior to version 6 is vulnerable to unauthenticated calls to admin/api.php?setTempUnit= that change the web dashboard temperature units. The underlying issue, as described in multiple sources, is that an unauthenticated user can alter Celsius/Fahrenheit/Kelvin settings, visible to the dev...

CVE-2024-44069

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value Celsius, Fahrenheit,...

Covid-19 Contact Tracing System 1.0 SQL Injection

============================================================================================================================================= | Title : Covid-19 Contact Tracing System 1.0 auth by pass Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefo...

WordPress PVN Auth Popup 1.0.0 Cross Site Scripting Vulnerability

Exploit Title: PVN Auth Popup alert1 for the "Login text" input 3. Save and see the XSS Note: Other fields are likely vulnerable...

WordPress MapFig Studio 0.2.1 Cross Site Request Forgery / Cross Site Scripting Vulnerabilities

WordPress MapFig Studio plugin versions 0.2.1 and below suffer from cross site request forgery and cross site scripting vulnerabilities. Exploit Title: MapFig Studio alert1" / alert1" / history.pushState'', '', '/'; document.forms0.submit;...

WordPress Profilepro 1.3 Cross Site Scripting Vulnerability

Exploit Title: profilepro if !response.ok throw new Error'Network response was not ok'; return response.text; .thendata = console.logdata .catcherror = console.error'Error:', error; - As an admin, go to http://example.com/wp-admin/edit.php?posttype=profileproform - Choose the default profile, cli...

CVE-2024-21757

A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, allows an attacker ...