E-INSUARANCE v1.0 is vulnerable to stored cross-site scripting (XSS) attacks. An attacker can inject malicious code into the Firstname and Lastname parameters in the profile component, allowing them to execute arbitrary scripts.
CE Phoenix v1.0.8.20 allows authenticated remote attackers to execute arbitrary code via the define_language.php lngdir parameter.
An attacker can exploit a SQL injection vulnerability in Elementor Website Builder version less than 3.12.2 by sending a malicious payload through the 'Replace URL' feature. By executing a specific SQL command, the attacker can make the server hang for 2 seconds, indicating a successful injection.
Daily Expense Manager 1.0 is vulnerable to SQL injection through the 'term' parameter in the readxp.php file. An attacker can inject malicious SQL queries via the 'term' parameter, leading to unauthorized access to the database.
A broken access control vulnerability was found in NodeBB v3.6.7, allowing unauthorized users to access restricted information meant for administrators only. By manipulating certain attributes in the JSON response after intercepting the group request, users with minimal privileges can access tabs limited to administrators. This issue was acknowledged and fixed by the developers upon discovery.
The Insurance Management System PHP and MySQL 1.0 allows for multiple stored cross-site scripting (XSS) vulnerabilities. An attacker can inject malicious payloads, such as <img src=x onerror=prompt("xss")>, into various input fields like Subject, Description, fname, lname, city, and street. When an admin views specific pages like Support Tickets or Users, the XSS payloads are executed.
Teacher Subject Allocation Management System version 1.0 is vulnerable to SQL injection due to inadequate security measures on the 'searchdata' parameter in the index.php file. This vulnerability can be exploited by injecting malicious SQL queries, potentially allowing unauthorized access to sensitive database information.
The 'nid' parameter in Best Student Result Management System v1.0 is prone to SQL injection attacks. An attacker can exploit this vulnerability to execute arbitrary SQL queries on the underlying database. By injecting a malicious payload that calls MySQL's load_file function with a UNC file path pointing to an external domain, the attacker can interact with the external domain and extract sensitive information from the system.
An Information Disclosure vulnerability in OpenClinic GA 5.247.01 allows an attacker to infer the existence of specific appointments by manipulating the input to the printAppointmentPdf.jsp component. By observing error messages, an unauthorized user can determine the presence of appointments without direct access to the data, potentially revealing sensitive information about appointments at private clinics, surgeries, and doctors' practices. This vulnerability is identified as CVE-2023-40278.
Hospital Management System v1.0 is vulnerable to Stored Cross Site Scripting (XSS) due to insufficient input validation. An attacker can execute malicious code by injecting a crafted payload into parameters such as 'patient_id', 'first_name', 'middle_initial', and 'last_name' in the 'receptionist.php' component.
Services By CQR