@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings

Summary The endpoint /site-structure/localizer/save-string/:lang/:defstring accepts two parameter values: lang and defstring. These values are used in an unsafe way to set the keys and value of the cfgStrings object. It allows to add/modify properties of the Object prototype that result in severa...

KLiK Social Media Website 1.0 - 'Multiple' SQLi

Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi Date: April 1st, 2022 Exploit Author: corpse Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite Version: 1.0 Tested on: Debian 11 Parameter: poll G...

Exponent CMS <= 2.4.0 Information Disclosure and SQLi Vulnerabilities

Exponent CMS is prone to an SQL injection SQLi and an information disclosure vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE...

Omnistar Mailer Software Multiple SQLi Vulnerabilities

Omnistar Mailer Softwar is prone to multiple SQL injection SQLi vulnerabilities. SPDX-FileCopyrightText: 2012 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SebracCMS 0.4 - Multiple SQL Injections

Name: SebracCMS Webiste: http://www.sebrac.netsons.org/cms/ Vulnerability type: SQL Injection Author: shinmai, 2008-06-28 Description: SebracCMS contains two major SQL injection vulnerabilities: Unsanitazed POST-variables in SQL queries when logging users in. This allows login access without prop...