Atlassian Confluence Server allows remote attackers to view restricted resources via local file inclusion in the /s/ endpoint.
Student Quarterly Grading System v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/grading_system/login.php 2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator.
Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. An attacker can exploit this vulnerability by creating a new product and inputting a malicious payload in the product description field. The stored XSS triggers for all users that navigate to the home page.
A SQL injection vulnerability exists in the Young Entrepreneur E-Negosyo System 1.0, which allows an attacker to bypass authentication by sending a crafted request with a modified user_email parameter. By changing the user_email parameter to 'janobe' or '1'='1', an attacker can bypass authentication and gain access to the admin panel.
Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. An attacker can use the payload ' or 1 -- - as username and password to bypass authentication and gain access to the admin panel.
Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability.
An attacker can bypass authentication by entering anything in the username and password fields and then changing the username to 'admin' or '1'='1' and the password to 'dfsms'. This will allow the attacker to log in as an admin.
CMSimple_XH is an open source project under GPL3 license. It includes an endpoint that allows remote access. The backup page is misconfigured, causing a security vulnerability. User information with sufficient permissions is required to exploit this vulnerability.
Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks. Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation. No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS.
An attacker can bypass authentication by sending a crafted request with a username of 'admin' or '1'='1' and a password of 'dfsms' to the '/dfsms/index.php' endpoint.
Services By CQR