17 matches found
CVE-2018-10257
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...
CVE-2018-10256
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query...
CVE-2018-10260
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10256
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query...
Remote file inclusion
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
Input validation
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...
Cross site scripting
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10257
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...
CVE-2018-10257
CVE-2018-10257 describes a CSV Injection in HRSALE The Ultimate HRM v1.0.2. A low-privilege user can inject a command into CSV exports (e.g., in the First Name field) that becomes part of the downloaded file, potentially leading to code execution. The PoC shows adding =cmd|'/C calc'!A1 in a user’...
CVE-2018-10260
HRSALE The Ultimate HRM v1.0.2 is affected by a Local File Inclusion vulnerability exploitable by a low-privileged user. The PoC demonstrates file reads via the admin/download endpoint (e.g., filename=../../../../../../../../etc/passwd). Multiple connected sources (NVD CVE-2018-10260, Exploit-DB,...
CVE-2018-10256
HRSALE The Ultimate HRM v1.0.2 contains a SQL injection vulnerability exploitable via the award_id parameter in the admin/read_awards endpoint. A low-privilege user can influence the SQL query, with PoC payloads demonstrating boolean-based blind injection. Several public references (Exploit-DB, P...
CVE-2018-10260
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10259
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user...
CVE-2018-10256
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query...
HRSALE The Ultimate HRM 1.0.2 CSV Injection
Exploit Title: HRSALE The Ultimate HRM 1.0.2 - CSV Injection Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10257 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux 2.0 | Mac OS 10.13...
HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion
HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion Exploit Title: HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10260 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/216656...
HRSALE The Ultimate HRM 1.0.2 - (Authenticated) Cross-Site Scripting
Exploit Title: HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross Site Scripting Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10259 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux...