Özkan Mustafa Akkuş (AkkuS)

59 exploits Active since Nov 2018
CVE-2018-25210 EXPLOITDB HIGH text WORKING POC
WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter
WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.
CVSS 8.2
CVE-2018-25209 EXPLOITDB HIGH text WORKING POC
OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter
OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract sensitive database information or bypass authentication.
CVSS 8.2
CVE-2018-25208 EXPLOITDB HIGH text WORKING POC
qdPM 9.1 SQL Injection via filter_by Parameters
qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
CVSS 8.2
CVE-2018-25207 EXPLOITDB HIGH text WORKING POC
Online Quiz Maker 1.0 SQL Injection via catid Parameter
Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication.
CVSS 7.1
CVE-2018-25206 EXPLOITDB HIGH text WORKING POC
KomSeo Cart 1.3 SQL Injection via edit.php
KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Attackers can submit POST requests with malicious SQL payloads to extract sensitive database information using boolean-based blind or error-based injection techniques.
CVSS 8.2
CVE-2018-25205 EXPLOITDB HIGH text WORKING POC
ASP.NET jVideo Kit 1.0 SQL Injection via query Parameter
ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive database information using boolean-based blind or error-based techniques.
CVSS 8.2
CVE-2018-25204 EXPLOITDB HIGH text WORKING POC
Library CMS 1.0 SQL Injection via admin login
Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in the username field to manipulate database queries and gain unauthorized access.
CVSS 8.2
CVE-2018-25203 EXPLOITDB HIGH text WORKING POC
Online Store System CMS 1.0 SQL Injection via clientaccess
Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.
CVSS 8.2
CVE-2018-25202 EXPLOITDB HIGH text WORKING POC
SAT CFDI 3.3 SQL Injection via signIn endpoint
SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application.
CVSS 8.2
CVE-2018-25201 EXPLOITDB HIGH text WORKING POC
School Management System CMS 1.0 Admin Login SQL Injection
School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.
CVSS 7.1
CVE-2018-25195 EXPLOITDB HIGH text WORKING POC
Wecodex Hotel CMS 1.0 SQL Injection via Admin Login
Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.
CVSS 8.2
CVE-2018-25185 EXPLOITDB HIGH text WORKING POC
Wecodex Restaurant CMS 1.0 SQL Injection via Login
Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.
CVSS 8.2
CVE-2018-25183 EXPLOITDB HIGH text WORKING POC
Shipping System CMS 1.0 SQL Injection via admin login
Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.
CVSS 8.2
CVE-2018-19457 EXPLOITDB HIGH text WORKING POC
Logicspice FAQ Script <2.9.7 - Command Injection
Logicspice FAQ Script 2.9.7 allows uploading arbitrary files, which leads to remote command execution via admin/faqs/faqimages with a .php file.
CVSS 7.2
CVE-2018-19798 EXPLOITDB HIGH python WORKING POC
Fleetco FMM <1.2 - RCE
Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote server. Any authenticated user can exploit this.
CVSS 8.8
CVE-2018-19459 EXPLOITDB HIGH text WORKING POC
Adult Filter 1.0 - Buffer Overflow
Adult Filter 1.0 has a Buffer Overflow via a crafted Black Domain List file.
CVSS 7.8
EIP-2026-113729 EXPLOITDB text WORKING POC
WordPress Plugin Events Calendar - SQL Injection
EIP-2026-113596 EXPLOITDB text WORKING POC
WordPress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting
CVE-2019-5009 EXPLOITDB HIGH python WORKING POC
Vtiger CRM 7.1.0 - Code Injection
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
CVSS 7.2
EIP-2026-113389 EXPLOITDB text WORKING POC
Wecodex Store Paypal 1.0 - SQL Injection
EIP-2026-112668 EXPLOITDB text WORKING POC
TI Online Examination System v2 - Arbitrary File Download
EIP-2026-112235 EXPLOITDB text WORKING POC
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
CVE-2018-18924 EXPLOITDB HIGH text WORKING POC
ProjeQtOr 7.2.5 - RCE
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
CVSS 8.8
EIP-2026-110676 EXPLOITDB text WORKING POC
PHP Dashboards 4.5 - 'email' SQL Injection
CVE-2018-19458 EXPLOITDB HIGH python WORKING POC
PHP Proxy 3.0.3 - Info Disclosure
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
CVSS 7.5