Ingenious School Management System is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'id' in the 'get_teacher.php' page. This can allow the attacker to gain access to the database and execute arbitrary commands.
An attacker can perform attacks via calendar ajax queries. However, this plugin is fully PHP-enabled. You can run SQL query with 'month' and 'year' parameters. These parameters are also suitable for XSS attacks. All PHP queries for which these parameters work have the same vulnerable.
The PDOSessionHandler class allows to store sessions on a PDO connection. Under some configurations (see below) and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. An application is vulnerable when it is using PDOSessionHandler to store its sessions, it uses MySQL as a backend for sessions managed by PDOSessionHandler, and the SQL mode does not contain STRICT_ALL_TABLES or STRICT_TRANS_TABLES (check via SELECT @@sql_mode).
A SQL injection vulnerability exists in easyLetters 1.0, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'e-mails.php' script. An attacker can leverage this vulnerability to gain access to the application, database, and server.
mySurvey 1.0 is vulnerable to SQL Injection in the 'statistic.php' page with the 'id' parameter. This parameter is vulnerable to boolean-based blind and AND/OR time-based blind attacks, as well as a generic UNION query. The payloads for each attack are provided in the text.
A SQL injection vulnerability exists in EasyService Billing 1.0 in the jobcard-ongoing.php?q= parameter. An attacker can exploit this vulnerability to inject malicious SQL queries into the application and gain access to sensitive data from the database. This can be exploited by sending a specially crafted payload to the vulnerable parameter. Boolean Based Blind SQL and Error-Based SQL payloads can be used to exploit this vulnerability.
A Cross-Site Scripting (XSS) vulnerability was discovered in EasyService Billing 1.0. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'q' parameter of the 'jobcard-ongoing.php' script. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable website. For example, an attacker can send a specially crafted request to the vulnerable script and execute arbitrary JavaScript code in a victim's browser.
EasyService Billing 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can exploit this vulnerability to perform malicious actions on behalf of the authenticated user. The attacker can send a malicious request to the vulnerable application and perform actions such as creating a new user or modifying existing user details. The attacker can also modify the quotation details of an existing user.
The vulnerability allows an attacker to inject sql commands from the search section with 'search' parameter.
The vulnerability allows an attacker to inject sql commands from the search section with 'cal_id' parameter.
Services By CQR