Bumsys Security Vulnerabilities and Issues — Bumsys CVE List

Bumsys ProjectBumsys

8 matches found

CVE•added 2023/05/05 12:0 a.m.•144 views

CVE-2023-2551

CVE-2023-2551 affects the PHP-based Bumsys (unilogies/bumsys) with versions prior to 2.1.1. The vulnerability stems from an API endpoint that processes file paths and allows local files to be included, enabling remote code execution via crafted requests to the api route. The root cause is unsafe ...

8.8CVSS8AI score0.00655EPSS

CVE•added 2023/05/05 12:0 a.m.•133 views

CVE-2023-2552

CVE-2023-2552 describes a CSRF vulnerability in unilogies/bumsys prior to 2.1.1. Connected sources provide a PoC: an attacker can reach ajax.php via /accounts/ajax without CSRF token, bypassing the check, potentially enabling unauthorized actions side-channel via a crafted request. The vulnerabil...

8.8CVSS8.9AI score0.00154EPSS

CVE•added 2023/05/05 12:0 a.m.•130 views

CVE-2023-2553

CVE-2023-2553 is a stored XSS in unilogies/bumsys prior to version 2.2.0. The vulnerability arises when user input (e.g., customerName) is stored and later rendered without proper escaping, enabling injected scripts as shown in PoC payloads (e.g., customerName containing ). Affected product: unil...

5.4CVSS5.1AI score0.00162EPSS

CVE•added 2023/05/22 10:43 a.m.•99 views

CVE-2023-2832

CVE-2023-2832 concerns the Unilogies Bumsys project (unilogies/bumsys) with SQL injection in versions prior to 2.2.0. The vulnerability stems from building SQL queries by appending user-supplied values (customerId, empId, company_id) without proper quoting, leading to injection and potential dela...

7.2CVSS7.4AI score0.00302EPSS

CVE•added 2023/03/13 12:0 a.m.•82 views

CVE-2023-1362

CVE-2023-1362 affects unilogies/bumsys prior to v2.0.2. The root cause is improper restriction of rendered UI layers or frames, enabling clickjacking. Public references in NVD/Red Hat/Nuclei templates describe the issue and indicate upgrade to version 2.0.2 or later as the remediation. CVSS v3.1 ...

8.4CVSS6.6AI score0.51102EPSS

CVE•added 2023/01/26 12:0 a.m.•70 views

CVE-2023-0455

CVE-2023-0455 affects unilogies/bumsys prior to v1.0.3-beta. Affected: the upload mechanism for shop logos (settings/shop-list) that accepts a file named profile picture.php with PHP code, indicating unrestricted upload of a dangerous file type. Root cause: insufficient validation of file type/ex...

8.8CVSS8.1AI score0.06665EPSS

Web

CVE•added 2023/03/13 12:0 a.m.•44 views

CVE-2023-1361

CVE-2023-1361 : SQL Injection in the open-source project unilogies/bumsys prior to v2.0.2. The vulnerability stems from core/ajax/ajax_data.php where customer_id is sanitized but interpolated into an unquoted numeric context, allowing injected SQL (example PoC in Huntr shows a time-based sleep). ...

7.2CVSS7AI score0.00273EPSS

CVE•added 2023/05/05 12:0 a.m.•34 views

CVE-2023-2554

CVE-2023-2554 affects unilogies/bumsys prior to 2.2.0. The issue is External Control of File Name or Path, enabling path traversal via user-supplied input used to build file paths in easyUpload, potentially allowing arbitrary file write. Public sources (NVD/Red Hat/Rust) rate severity as HIGH (CV...

7.2CVSS7AI score0.01916EPSS