The editid parameter is vulnerable to SQL injection and the Name and Email fields are vulnerable to stored cross-site scripting.
Active WebCam 11.5 is vulnerable to Unquoted Service Path vulnerability. The service is configured to start automatically on Windows startup with 'Start as Service' option enabled in Program Options. The service is running with LocalSystem privileges and the binary path is not quoted, which can be exploited by an attacker to gain elevated privileges.
Bus Pass Management System 1.0 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject malicious payloads into the 'adminname' POST parameter of the /admin/admin-profile.php page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. To exploit this vulnerability, an attacker must have valid credentials to login to the dashboard and set the 'adminname' parameter with the malicious payload.
This vulnerability allows an attacker to inject malicious code into a CSV file exported from the TablePress plugin in WordPress. By entering a specially crafted payload into the Table Content Input Field, an attacker can inject malicious code into the CSV file when it is exported. When the CSV file is opened, the malicious code will be executed.
This exploit is a SQL Injection vulnerability in the WordPress Plugin Survey & Poll version 1.5.7.3. The vulnerability exists in the 'sss_params' parameter of the 'sss_load_results' action. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands.
A stored XSS vulnerability exists in WordPress Plugin WP Sitemap Page version 1.6.4. An attacker can exploit this vulnerability by installing and activating WP Sitemap Page, navigating to Settings >> WP Sitemap Page >> Settings and entering the XSS payload into the 'How to display the posts' Input field. When the same functionality is triggered, the JavaScript payload is executed successfully and a pop-up is displayed.
Vulnerability in Antminer Monitor exists because of backdoor or misconfiguration done by developer inside settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static in this build.antminer-monitor/settings.py. Secret key is 'super secret key'. Using software flask-unsing we can generate cookie which will provide you admin access. Additionally you can use this universal cookie to access web interface of flask application. This cookie can work on all systems in 'session' field.
The vulnerability exists in SmartFTP Client 10.0.2909.0, which allows an attacker to cause a denial of service by entering a non-existing IP address in the FTP server, copying the content of the 'path.txt' generated by the python script, or by clearing the history in the 'New Connection' bar and typing anything in it.
Patient Appointment Scheduler System v1.0 is vulnerable to a persistent/stored XSS vulnerability. An attacker can inject malicious JavaScript code into the 'about_us' field of the SystemSettings.php page, which is then stored in the database and executed when the main page is loaded. This can be used to steal user cookies, redirect users to malicious websites, or perform other malicious activities.
Patient Appointment Scheduler System v1.0 is vulnerable to unauthenticated file upload. An attacker can upload a malicious file to the server and execute arbitrary code. This exploit was tested on Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0.
Services By CQR