Stored Cross Site Scripting (XSS) vulnerability in Care2x Hospital Information Management 2.7 Alpha. The vulnerability has found POST requests in /modules/registration_admission/patient_register.php page with 'name_middle', 'addr_str', 'station', 'name_maiden', 'name_2', 'name_3' parameters.
A vulnerability in easy-mock 1.6.0 allows an authenticated user to execute arbitrary code on the target system. An attacker can register a new user with a random username and password, then login to the system and use the /api/mock/v1/user/exec endpoint to execute arbitrary code on the target system. This vulnerability affects easy-mock versions 1.5.0-1.6.0.
4images 1.8 is vulnerable to an authenticated SQL injection vulnerability due to improper sanitization of user-supplied input. The vulnerability exists in the 'limitnumber' parameter of the 'findimages' action of the 'images.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL code in the 'limitnumber' parameter. This can allow the attacker to execute arbitrary SQL commands on the underlying database.
PHP Dashboards is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
RedTeam Pentesting discovered a vulnerability in the MobileTogether server which allows users with access to at least one app to read arbitrary, non-binary files from the file system and perform server-side requests. The vulnerability can also be used to deny availability of the system.
The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to SQL injection via the 'searchdata' parameter on the patient-search-report.php page. An un-authenticated user has the full ability to run system commands via --os-shell and fully compromise the system.
PHP Dashboards is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones were vulnerable to content provider injection using which any 3rd party application can read the user’s browser history.
Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable 'RemoteBackup.Service.exe' has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with 'LocalSystem' privileges at scheduled time.
Services By CQR