header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Sitefinity 15.0 – Cross-Site Scripting (XSS)

A Cross-Site Scripting (XSS) vulnerability was found in Sitefinity CMS versions prior to 15.0.0. The vulnerability exists in all features using SF-Editor in the backend of the CMS. An attacker with lower privileges can insert malicious XSS payloads in the content form, which will be executed when a user with higher privileges, the victim, views the affected page.

Cluster Manager Exploitation

The script aims to exploit a vulnerability in a cluster manager by searching for a specific 'Alias' parameter in the href attribute of HTML links. If the parameter is found, the script proceeds with the exploitation process. It utilizes BeautifulSoup for parsing HTML content and requests library for making HTTP requests. The vulnerability can potentially lead to information disclosure.

WordPress File Upload < 4.23.3 Stored XSS

A Stored Cross-Site Scripting (XSS) vulnerability exists in WordPress File Upload plugin version 4.23.3 and prior. By inserting a malicious shortcode in a post, an attacker can trigger an XSS attack when a file is uploaded, leading to potential script execution in the victim's browser. This vulnerability has been assigned CVE-2023-4811.

Insurance Management System PHP and MySQL 1.0 – Multiple Stored XSS

The Insurance Management System PHP and MySQL 1.0 allows for multiple stored cross-site scripting (XSS) vulnerabilities. An attacker can inject malicious payloads, such as <img src=x onerror=prompt("xss")>, into various input fields like Subject, Description, fname, lname, city, and street. When an admin views specific pages like Support Tickets or Users, the XSS payloads are executed.

OpenClinic GA 5.247.01 – Information Disclosure

An Information Disclosure vulnerability in OpenClinic GA 5.247.01 allows an attacker to infer the existence of specific appointments by manipulating the input to the printAppointmentPdf.jsp component. By observing error messages, an unauthorized user can determine the presence of appointments without direct access to the data, potentially revealing sensitive information about appointments at private clinics, surgeries, and doctors' practices. This vulnerability is identified as CVE-2023-40278.

WEBIGniter v28.7.23 XSS

The 'your_name' parameter in WEBIGniter v28.7.23 lacks proper input validation, leading to a vulnerability where an attacker can execute malicious JavaScript code by injecting it into the parameter. This can result in reflected cross-site scripting (XSS) attacks, potentially compromising user data and system integrity.

Blood Bank v1.0 SQL Injection Vulnerability

The vulnerability exists in Blood Bank v1.0 due to insufficient input validation on 'hemail' and 'hpassword' parameters, enabling attackers to perform SQL injection attacks. This allows unauthorized access to the database by bypassing authentication mechanisms. Multiple CVEs have been assigned: CVE-2023-46014, CVE-2023-46017, CVE-2023-46018.

MISP 2.4.171 Stored Cross-Site Scripting Vulnerability

The MISP version 2.4.171 is prone to a stored cross-site scripting vulnerability. An authenticated attacker can inject malicious scripts into the 'Name' parameter when adding a cluster under the 'Galaxies' section, leading to the execution of arbitrary scripts in the context of the victim's browser. This vulnerability has been assigned CVE-2023-37307.

Recent Exploits: