A Cross-Site Request Forgery (CSRF) vulnerability exists in School Attendance Monitoring System 1.0, which allows an attacker to update the admin account details. The vulnerability exists due to insufficient validation of user-supplied input in the 'USERID' parameter of '/[PATH]/user/controller.php?action=edit' when processing an HTTP POST request. An attacker can leverage this vulnerability to update the admin account details, such as username and password, without the knowledge of the legitimate user.
School Event Management System 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that contains a form with hidden fields that can be used to update the administrator account. When an authenticated user visits the malicious page, the form will be submitted and the administrator account will be updated with the attacker's credentials.
School Event Management System 1.0 is vulnerable to an arbitrary file upload vulnerability. This vulnerability allows an attacker to upload a malicious file to the web server. The malicious file can be uploaded by sending a specially crafted HTTP POST request to the vulnerable application. The malicious file can be uploaded to the web server by setting the filename parameter to the name of the malicious file and setting the Content-Type header to application/force-download. The malicious file can then be accessed by sending a GET request to the vulnerable application.
School Event Management System 1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'index.php' script. An attacker can send a malicious SQL query to the vulnerable script to gain access to the database. This can be exploited to gain access to sensitive information such as usernames and passwords.
An SQL injection vulnerability exists in Point of Sales (POS) in VB.Net MySQL Database 1.0. The application fails to properly sanitize user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by supplying malicious input to the application, which can be used to manipulate the SQL query and gain access to unauthorized data. This vulnerability affects the LoginForm1.vb file, specifically the OK_Click function, which is vulnerable to SQL injection.
Bakeshop Inventory System in VB.Net and MS Access Database 1.0 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries to the vulnerable parameter 'U_UNAME' and 'U_PASS' in the 'LoginUser' function in 'publicfunction.vb' file. This can allow an attacker to bypass authentication and gain access to the application.
The Curriculum Evaluation System 1.0 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries into the 'txtSearch' parameter of the 'frmCourse.vb' file and the 'username' and 'pass' parameters of the 'user.vb' file. This can allow an attacker to bypass authentication and gain access to the application.
Aplaya Beach Resort Online Reservation System 1.0 is vulnerable to multiple attacks. The first vulnerability is an SQL injection vulnerability which allows an attacker to inject malicious SQL queries into the application. The second vulnerability is a file upload vulnerability which allows an attacker to upload malicious files to the application. The third vulnerability is a cross-site scripting vulnerability which allows an attacker to inject malicious JavaScript code into the application.
A SQL injection vulnerability exists in MOGG web simulator Script, which could allow an attacker to execute arbitrary SQL commands. The vulnerability is due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'play.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. Successful exploitation of this vulnerability could result in unauthorized access to sensitive information, or allow an attacker to modify data in the back-end database.
Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys low level drivers, installed by ASRock RGBLED and other ASRock branded utilities, which could allow a local attacker to elevate privileges.
Services By CQR