Orca Management Organization Co., Ltd. Security Vulnerabilities

Art Gallery Management System Project v1.0 - Cross-Site Scripting

A reflected cross-site scripting (XSS) vulnerability in Art Gallery Management System Project v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the artname parameter under ART TYPE option in the navigation...

lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset.....

Moodle CSRF risk in analytics management of models

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF...

lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset.....

Diary Management System 1.0 - Cross-Site Scripting

Diary Management System 1.0 contains a cross-site scripting vulnerability via the Name parameter in...

School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting

School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based....

CVE-2022-1599

The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status (draft, published), slug, post date, comment status...

Improper Session Management

reportico-web/reportico is vulnerable to Improper Session Management. The vulnerability is due to improper handling of session tokens, which allows an attacker to reuse a token after a user has logged...

ehicle Service Management System 1.0 - Cross-Site Scripting

Vehicle Service Management System 1.0 contains a stored cross-site scripting vulnerability via the Category List section in login...

Dairy Farm Shop Management System 1.0 - SQL Injection

Dairy Farm Shop Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context...

Car Rental Management System 1.0 - Local File Inclusion

Car Rental Management System 1.0 allows an unauthenticated user to perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, leading to code...

Online Piggery Management System v1.0 - Unauthenticated File Upload

Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to...

WSO2 Management - Arbitrary File Upload & Remote Code Execution

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key...

WordPress RSVP and Event Management <2.7.8 - Missing Authorization

WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hooked to the init action. An attacker can potentially retrieve sensitive information such as...

How to Bypasss Load Balancing in Veeam Management Pack for Microsoft System Center

How to Bypasss Load Balancing in Veeam Management Pack for Microsoft System...

Old Age Home Management System v1.0 - SQL Injection

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username...

Purchase Order Management v1.0 - Cross Site Scripting (Reflected)

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at...

Sourcecodester Simple Client Management System 1.0 - SQL Injection

Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected...

WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting

WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated...

co-iki.org Cross Site Scripting vulnerability OBB-3898416

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

turn8.co Cross Site Scripting vulnerability OBB-3899708

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability. Following IBM® Engineering Lifecycle Engineering products, exposed to this vulnerability, are been addressed in this bulletin: Jazz...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to jose4j (CVE-2023-51775)

Summary There is a vulnerability in the jose4j library used by IBM WebSphere Application Server traditional and used by the IBM WebSphere Application Server Liberty. The following IBM® Engineering Lifecycle Engineering products are exposed to this attack and are been addressed in this bulletin:...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-50312)

Summary IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this risk, it has been addressed in this bulletin: Jazz Foundation, Global Configuration Management....

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to server-side request forgery (CVE-2024-22329)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to server-side request forgery. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin: Jazz Foundation, IBM Engineering...

Geutebruck - Remote Command Injection

Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected...

Vehicle Service Management System 1.0 - Stored Cross Site Scripting

Vehicle Service Management System 1.0 contains a stored cross-site scripting vulnerability via the Service List section in login...

Moodle CSRF risk in admin preset tool management of presets

Actions in the admin preset tool did not include the necessary token to prevent a CSRF...

Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection

Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...

School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting

School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service (CVE-2024-25026)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. The following IBM®...

Moodle CSRF risk in admin preset tool management of presets

Actions in the admin preset tool did not include the necessary token to prevent a CSRF...

Mediawiki Improper Privilege Management

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for...

Vehicle Service Management System 1.0 - Stored Cross Site Scripting

Vehicle Service Management System 1.0 contains a stored cross-site scripting vulnerability via the Mechanic List section in login...

Plone Improper Session Management

Plone CMS before 3, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the...

Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting

Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview...

Prison Management System Using PHP SQL Injection

...

CVE-2022-36193

SQL injection in School Management System 1.0 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL...

Security Bulletin: Multiple vulnerabilities in IBM Java may affect IBM Storage Protect for Space Management

Summary IBM Storage Protect for Space Management can be affected by security flaws in IBM Java. The flaws can lead to denial of service, confidentiality impact, integrity impact, availability impact, and sensitive information disclosure, as described in the "Vulnerability Details" section....

MoinMoin Improper Privilege Management

MoinMoin 1.2.2 and earlier could allow a remote attacker to gain elevated privileges, caused by an undisclosed Access Control List (ACL) vulnerability in the...

IBM Maximo Asset Management Information Disclosure - XML External Entity Injection

IBM Maximo Asset Management is vulnerable to...

Prison Management System - SQL Injection Authentication Bypass

...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Xerces2

Summary Multiple vulnerabilities have been identified in Apache Xerces2, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details ** CVEID: CVE-2022-23437 DESCRIPTION: **Apache...

CVE-2024-36779

Sourcecodester Stock Management System v1.0 is vulnerable to SQL Injection via...

CVE-2024-37678

Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted...

CVE-2024-37678

Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted...

CVE-2024-37678

Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted...

CVE-2024-37678

Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted...

CVE-2023-20219

Multiple vulnerabilities in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The attacker would need valid device credentials but does not require...

CVE-2023-37058

Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted...