ManageEngine ADSelfService Plus 6.1 is vulnerable to CSV Injection. A malicious user can send a POST request to the login page with a malicious payload in the j_username parameter. This payload will be saved to the User Attempts Audit Report table, which can be exported as a CSV file. If the admin user confirms the alert popup, a reverse shell connection will be obtained by the malicious user.
SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
A buffer overflow vulnerability exists in WebSSH for iOS 14.16.10, which can be exploited by a malicious user to cause a denial of service. The vulnerability is caused due to a boundary error when handling user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted input to the vulnerable application. This will cause the application to crash, resulting in a denial of service condition.
A denial of service vulnerability exists in Visual Studio Code 1.47.1. An attacker can send a specially crafted request to the application, which will cause the application to crash.
Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript by entering a malicious payload in the username field.
EgavilanMedia PHPCRUD 1.0 is vulnerable to SQL injection in the 'First Name' parameter. An attacker can send a malicious payload to the vulnerable parameter to execute arbitrary SQL commands on the underlying database. This can be exploited to gain unauthorized access to the database and its contents.
Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack. After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
Advanced Guestbook is a free open source guestbook script developed in PHP. Examples of features include email notifications, uploading pictures, html tags handling, multiple polls, comments and themes. The vulnerability exists in the 'Smilies' tab of the admin panel, where an authorized user can inject malicious JavaScript code into the 's_emotion' parameter of the POST request. This code will be executed when the 'Smilies' tab is accessed again.
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. This vulnerability can result in the attacker to inject the XSS payload in the Title field of the page and each time any user will open the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
An attacker can exploit a Cross Site Request Forgery vulnerability in the Dental Clinic Appointment Reservation System 1.0 to add an admin user. By crafting a malicious HTML page, an attacker can send a POST request to the vulnerable user.php page with a username and password of their choice. This will add an admin user to the system.
Services By CQR