The Super Socializer plugin version 7.13.52 is vulnerable to a reflected XSS vulnerability. Attackers can exploit this vulnerability by injecting malicious JavaScript code into the vulnerable parameter. When a user visits a crafted URL containing the payload, the injected code will be executed in the user's browser, potentially allowing the attacker to steal sensitive information or perform unauthorized actions on behalf of the user.
The WP Sticky Social plugin version 1.0.1 is vulnerable to Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) attacks. An attacker can exploit this vulnerability to perform malicious actions on behalf of an authenticated user and inject arbitrary script code into the affected site.
This exploit allows an attacker to execute arbitrary commands on the target system without authentication. By sending a specially crafted payload to the /flash/addcrypted2 endpoint, the attacker can execute commands through the os.system() function.
The WordPress Theme Medic v1.0.0 has a weak password recovery mechanism for forgotten passwords. This vulnerability allows an attacker to reset a user's password without proper authorization. The vulnerability can be exploited by sending a specially crafted password reset link to the targeted user's email address.
I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I have discovered in the Symantec SiteMinder WebAgent. The vulnerability is related to the improper handling of user input and has been assigned the Common Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for this vulnerability is 5.4.
The Diafan CMS version 6.0 is vulnerable to a reflected cross-site scripting (XSS) attack. This can be exploited by an attacker by injecting malicious script code into the 'Search in the goods > Article' field on the main page of the CMS. When a user interacts with the injected payload, it will execute the script code in the user's browser, potentially leading to unauthorized actions or data theft. An example payload that triggers an alert with the document domain is provided: "><script>alert(document.domain)<%2Fscript>
The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.
The Jobpilot v2.61 application is vulnerable to SQL Injection. The vulnerability can be exploited through the 'long' parameter in a GET request. The exploit allows an attacker to execute arbitrary SQL queries, potentially gaining unauthorized access to the database. The PoC includes error-based and time-based blind SQL injection payloads.
This exploit allows an attacker to perform SQL injection on the Groomify v1.0 application. By manipulating the 'search' parameter in the 'blog-search' endpoint, an attacker can execute arbitrary SQL queries.
The Shop v2.5 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by manipulating the 'qty' parameter in a POST request. The payload can be injected to execute arbitrary SQL queries.
Services By CQR