The Sales Tracker Management System v1.0 is affected by multiple vulnerabilities. An attacker can exploit these vulnerabilities to perform various actions like redirecting users to malicious sites.
Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.
The WordPress Theme Workreap version 2.2.2 is vulnerable to an unauthenticated file upload vulnerability, which can lead to remote code execution. By exploiting this vulnerability, an attacker can upload a malicious PHP file to the target server and execute arbitrary code.
This exploit allows an attacker to access files and directories outside of the intended directory on the Thruk Monitoring Web Interface version 3.06 or earlier. The vulnerability occurs due to insufficient input validation in the application.
The USB Flash Drives Control software version 4.1.0.0 is vulnerable to an unquoted service path vulnerability. This allows an attacker to gain elevated privileges by placing a malicious executable in a directory with spaces in its name.
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
If a malicious payload is inserted into the related path and the service is executed in any way, this can gain new privilege access to the system and perform malicious acts.
MotoCMS Version 3.4.3 SQL Injection via the keyword parameter.
The web interface of the STARFACE PBX in version 7.3.0.10 allows for authentication with a password hash. The JavaScript file 'prettifier.js' adds the 'secret' and 'ack' parameters to the login form before submission. The 'defaultVals' JavaScript object contains the static hash of the PBX version.
Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.
Services By CQR