The Simple Inventory Management System v1.0 is susceptible to SQL Injection. The user inputs ($_POST['email'] and $_POST['pwd']) are directly inserted into the SQL query without adequate validation or sanitization, enabling potential manipulation by malicious users. This could lead to the injection of SQL code through specially crafted input, posing a significant security risk.
The Flashcard Quiz App v1.0 is prone to SQL injection due to unsanitized user inputs directly concatenated into SQL queries. An attacker can manipulate the SQL query through the 'card' parameter in the URL, potentially leading to unauthorized actions on the database.
A file upload vulnerability in Petrol Pump Management Software v1.0 allows attackers to run arbitrary code by uploading a malicious payload to the 'Image' parameter in the 'profile.php' component.
You can upload a php shell file as a bot_avatar or user_avatar or image
Attendance and Payroll System v1.0 is vulnerable to an authentication bypass through SQL injection. An attacker can exploit this vulnerability by sending a specially crafted payload to the login page of the application. The payload will bypass the authentication and allow the attacker to access the application as an administrator.
Online Learning System v2.0 Login pages can be bypassed with a simple SQLi to the username/facultyID/studentID parameters. Steps To Reproduce: 1 - Go to one of the login portals 2 - Enter the payload to username field as 'bypass' or 1=1-- -' without double-quotes ('bypass' is can be anything in this scenario) and type anything you want to the password field. 3 - Click on 'Login' button and you are logged in as first user in database, which is admin user for admin portal.
Patient Appointment Scheduler System v1.0 is vulnerable to a persistent/stored XSS vulnerability. An attacker can inject malicious JavaScript code into the 'about_us' field of the SystemSettings.php page, which is then stored in the database and executed when the main page is loaded. This can be used to steal user cookies, redirect users to malicious websites, or perform other malicious activities.
Patient Appointment Scheduler System v1.0 is vulnerable to unauthenticated file upload. An attacker can upload a malicious file to the server and execute arbitrary code. This exploit was tested on Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0.
This exploit allows an unauthenticated attacker to gain remote code execution on a vulnerable Responsive Tourism Website 3.1. The attacker can bypass the login page by using a SQL injection payload and then upload a malicious PHP shell to the server. The attacker can then access the shell via the URL and execute arbitrary commands on the server.
The vulnerability exists due to insufficient sanitization of user-supplied input in 'username' and 'password' parameters of 'login.php' script. A remote attacker can bypass authentication and gain access to the application.
Services By CQR