Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application allowing the attacker to login with admin acount
Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
This exploit allows an authenticated user to inject malicious XML code into the WordPress Media Library, which can be used to perform SSRF attacks and read local files.
Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.
Attacker can change admin information by sending a malicious POST request to the victimsite.com/srv/service/admin/updateuserinfo with the desired credentials in the request body.
Simple Attendance System, is prone to multiple vulnerabilities. Easy authentication bypass vulnerability on the application allowing the attacker to login. The attacker can use the wrong credentials and capture the request in burp and send it to repeater. Then, the attacker can replace the response with a successful login response and forward the request. This will allow the attacker to login as admin.
Library Management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.
An authentication bypass vulnerability was patched in Booster for WooCommerce plugin. Attackers can exploit this vulnerability by visiting the target website's wp-json/wp/v2/users/ page, picking a user-ID, and then using the exploit_CVE-2021-34646.py script to generate multiple timestamps in order to avoid delay related timing errors. One of the generated links will allow the attacker to access the system.
Services By CQR