17 matches found
CVE-2018-10257
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...
CVE-2018-10256
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query...
CVE-2018-10256
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query...
CVE-2018-10260
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
Cross site scripting
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
Input validation
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...
Remote file inclusion
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10256
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query...
CVE-2018-10260
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10256
HRSALE The Ultimate HRM v1.0.2 contains a SQL injection vulnerability exploitable via the award_id parameter in the admin/read_awards endpoint. A low-privilege user can influence the SQL query, with PoC payloads demonstrating boolean-based blind injection. Several public references (Exploit-DB, P...
CVE-2018-10257
CVE-2018-10257 describes a CSV Injection in HRSALE The Ultimate HRM v1.0.2. A low-privilege user can inject a command into CSV exports (e.g., in the First Name field) that becomes part of the downloaded file, potentially leading to code execution. The PoC shows adding =cmd|'/C calc'!A1 in a user’...
CVE-2018-10260
HRSALE The Ultimate HRM v1.0.2 is affected by a Local File Inclusion vulnerability exploitable by a low-privileged user. The PoC demonstrates file reads via the admin/download endpoint (e.g., filename=../../../../../../../../etc/passwd). Multiple connected sources (NVD CVE-2018-10260, Exploit-DB,...
CVE-2018-10259
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10257
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...
HRSALE The Ultimate HRM 1.0.2 CSV Injection
Exploit Title: HRSALE The Ultimate HRM 1.0.2 - CSV Injection Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10257 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux 2.0 | Mac OS 10.13...
HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion
HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion Exploit Title: HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10260 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/216656...
HRSALE The Ultimate HRM 1.0.2 - (Authenticated) Cross-Site Scripting
Exploit Title: HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross Site Scripting Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10259 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux...