An SQL injection vulnerability exists in the *miniform* module of WBCE CMS version 1.6.0. The vulnerability allows unauthenticated attackers to access and potentially take over the entire database. The issue arises from the lack of authentication checks in the file /modules/miniform/ajax_delete_message.php, specifically in a DELETE query on line 40. The vulnerability can be exploited by using a tick sign (`) to manipulate the query. The vulnerable parameter is DB_RECORD_TABLE.
The vulnerability allows attackers to manipulate SQL queries in the application's database by injecting malicious SQL code through the client-side input fields. Successful exploitation can lead to unauthorized access, data manipulation, administrative actions on the database, file system content retrieval, and potentially executing commands on the operating system.
The Savsoft Quiz v6.0 Enterprise software is prone to a Persistent Cross-Site Scripting (XSS) vulnerability due to improper validation of user-supplied data in the 'quiz_name' parameter. An attacker can exploit this issue by injecting malicious scripts, potentially leading to the execution of arbitrary code in the context of the affected site. This vulnerability was tested on Kali Linux and Windows 10.
A vulnerability in djangorestframework-simplejwt version <= 5.3.1 allows for various security issues such as Business Object Level Authorization (BOLA), Business Function Level Authorization (BFLA), and Information Disclosure. This vulnerability permits users to access web application resources even after their account has been deactivated due to inadequate user validation checks.
The 'your_name' parameter in WEBIGniter v28.7.23 lacks proper input validation, leading to a vulnerability where an attacker can execute malicious JavaScript code by injecting it into the parameter. This can result in reflected cross-site scripting (XSS) attacks, potentially compromising user data and system integrity.
A vulnerability in Metabase version 0.46.6 allows remote attackers to execute arbitrary code before authentication. By sending a crafted request to the '/exploitable' endpoint, an attacker can trigger the execution of malicious code on the target server. This vulnerability has been assigned CVE-2023-38646.
The Numbas version 7.2 and below allows remote attackers to execute arbitrary code via a crafted request, leading to potential remote code execution. This vulnerability is identified as CVE-2024-27612.
An unauthenticated attacker can exploit a Denial of Service vulnerability in VIMESA VHF/FM Transmitter Blue Plus 9.7.1 by sending an unauthorized HTTP GET request to the unprotected endpoint 'doreboot', resulting in the restart of transmitter operations.
The vulnerability exists in Blood Bank v1.0 due to insufficient input validation on 'hemail' and 'hpassword' parameters, enabling attackers to perform SQL injection attacks. This allows unauthorized access to the database by bypassing authentication mechanisms. Multiple CVEs have been assigned: CVE-2023-46014, CVE-2023-46017, CVE-2023-46018.
SnipeIT version 6.2.1 is vulnerable to stored cross-site scripting (XSS) allowing attackers to run malicious JavaScript code. The specific vulnerability lies in the location endpoint.
Services By CQR