Teacher Subject Allocation Management System version 1.0 is vulnerable to SQL injection due to inadequate security measures on the 'searchdata' parameter in the index.php file. This vulnerability can be exploited by injecting malicious SQL queries, potentially allowing unauthorized access to sensitive database information.
The 'nid' parameter in Best Student Result Management System v1.0 is prone to SQL injection attacks. An attacker can exploit this vulnerability to execute arbitrary SQL queries on the underlying database. By injecting a malicious payload that calls MySQL's load_file function with a UNC file path pointing to an external domain, the attacker can interact with the external domain and extract sensitive information from the system.
An Information Disclosure vulnerability in OpenClinic GA 5.247.01 allows an attacker to infer the existence of specific appointments by manipulating the input to the printAppointmentPdf.jsp component. By observing error messages, an unauthorized user can determine the presence of appointments without direct access to the data, potentially revealing sensitive information about appointments at private clinics, surgeries, and doctors' practices. This vulnerability is identified as CVE-2023-40278.
Hospital Management System v1.0 is vulnerable to Stored Cross Site Scripting (XSS) due to insufficient input validation. An attacker can execute malicious code by injecting a crafted payload into parameters such as 'patient_id', 'first_name', 'middle_initial', and 'last_name' in the 'receptionist.php' component.
AnyDesk version 7.0.15 installs a service with an unquoted service path that runs with SYSTEM privileges. This vulnerability could be exploited by an authorized non-privileged local user to execute arbitrary code with elevated privileges on the system.
SQL injection vulnerability in Employee Management System 1.0 allows an attacker to manipulate database queries through user input fields `txtfullname` and `txtphone`. Successful exploitation can lead to data exfiltration, data manipulation, unauthorized administration operations, file system access, and potentially OS command execution.
The 'cityedit' parameter in the Human Resource Management System v1.0 is vulnerable to SQL injection attacks. An attacker can inject a payload that calls MySQL's load_file function with a UNC file path referencing a URL on an external domain. By executing this injected SQL query, the attacker can gain access to all information stored in the system.
The exploit targets RouterOS devices with versions ranging from 6.40.5 to 6.44 and 6.48.1 to 6.49.10. By sending a crafted packet, it can cause a denial of service condition on the target device. This vulnerability is identified as CVE-2024-27686.
The Wordpress Plugin WP Video Playlist 1.1.1 is vulnerable to stored cross-site scripting (XSS) attack. An attacker can inject malicious scripts into the 'videoFields[post_type]' input field, leading to the execution of arbitrary code in the context of the user's browser. This can result in cookie theft, session hijacking, or other malicious activities.
The Siklu MultiHaul TG series with a version less than 2.0.0 allows unauthenticated credential disclosure. By exploiting this vulnerability, an attacker can obtain random generated username and password, gaining unauthorized access to the device.
Services By CQR