BigTiger2020

44 exploits Active since Nov 2020
CVE-2020-25537 WRITEUP CRITICAL WRITEUP
UCMS 1.5.0 - Unrestricted Upload of File with Dangerous Type
File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain server management permission.
CVSS 9.8
CVE-2020-26609 WRITEUP MEDIUM WRITEUP
fastadmin V1.0.0.20200506_beta - XSS
fastadmin V1.0.0.20200506_beta contains a cross-site scripting (XSS) vulnerability which may allow an attacker to obtain administrator credentials to log in to the background.
CVSS 5.4
CVE-2020-29279 WRITEUP CRITICAL WRITEUP
74cms < 6.0.48 - Remote Code Execution via assign_resume_tpl Method
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVSS 9.8
CVE-2020-29283 WRITEUP CRITICAL WRITEUP
Online Doctor Appointment Booking System - SQL Injection
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.
CVSS 9.8
CVE-2020-29285 WRITEUP CRITICAL WRITEUP
Point of Sales in PHP/PDO 1.0 - SQL Injection via edit_category.php id Parameter
SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php.
CVSS 9.8
CVE-2020-35339 WRITEUP CRITICAL WRITEUP
74cms 5.0.1 - Remote Code Execution via ConfigController and functions.php
In 74cms version 5.0.1, there is a remote code execution vulnerability in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php where attackers can obtain server permissions and control the server.
CVSS 9.8
CVE-2020-36002 WRITEUP HIGH WORKING POC
seat-reservation-system 1.0 - SQL Injection via index.php id Parameter
Seat-Reservation-System 1.0 has a SQL injection vulnerability in index.php in the id parameter where attackers can obtain sensitive database information.
CVSS 7.5
CVE-2021-25204 WRITEUP MEDIUM WRITEUP
SourceCodester E-Commerce Website <1.0 - XSS
Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject arbitrary web script or HTM via the subject field to feedback_process.php.
CVSS 5.4
CVE-2021-25205 WRITEUP CRITICAL WRITEUP
SourceCodester E-Commerce Website V 1.0 - SQL Injection
SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php .
CVSS 9.8
CVE-2021-25206 WRITEUP CRITICAL WRITEUP
SourceCodester Responsive Ordering System <1.0 - RCE
Arbitrary file upload vulnerability in SourceCodester Responsive Ordering System v 1.0 allows attackers to execute arbitrary code via the file upload to Product_model.php.
CVSS 9.8
CVE-2021-25207 WRITEUP CRITICAL WRITEUP
SourceCodester E-Commerce Website <1.0 - Code Injection
Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary code via the file upload to prodViewUpdate.php.
CVSS 9.8
CVE-2021-25208 WRITEUP CRITICAL WRITEUP
SourceCodester Travel Management System <1.0 - RCE
Arbitrary file upload vulnerability in SourceCodester Travel Management System v 1.0 allows attackers to execute arbitrary code via the file upload to updatepackage.php.
CVSS 9.8
CVE-2021-25209 WRITEUP CRITICAL WRITEUP
SourceCodester Theme Park Ticketing System <1.0 - SQL Injection
SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php .
CVSS 9.8
CVE-2021-25210 WRITEUP CRITICAL WRITEUP
SourceCodester Alumni Management System <1.0 - RCE
Arbitrary file upload vulnerability in SourceCodester Alumni Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to manage_event.php.
CVSS 9.8
CVE-2021-25211 WRITEUP CRITICAL WRITEUP
SourceCodester Ordering System <1.0 - RCE
Arbitrary file upload vulnerability in SourceCodester Ordering System v 1.0 allows attackers to execute arbitrary code, via the file upload to ordering\admin\products\edit.php.
CVSS 9.8
CVE-2021-25212 WRITEUP CRITICAL WRITEUP
SourceCodester Alumni Management System <1.0 - SQL Injection
SQL injection vulnerability in SourceCodester Alumni Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to manage_event.php.
CVSS 9.8
CVE-2021-25213 WRITEUP CRITICAL WRITEUP
SourceCodester Travel Management System <1.0 - SQL Injection
SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php.
CVSS 9.8
CVE-2021-26223 WRITEUP CRITICAL WRITEUP
CASAP Automated Enrollment System 1.0 - SQL Injection via view_pay.php id Parameter
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_pay.php.
CVSS 9.8
CVE-2021-26224 WRITEUP MEDIUM WRITEUP
SourceCodester Fantastic-Blog-CMS 1.0 - Cross-Site Scripting via Search Field
Cross-site scripting (XSS) vulnerability in SourceCodester Fantastic-Blog-CMS V 1.0 allows remote attackers to inject arbitrary web script or HTML via the search field to search.php.
CVSS 6.1
CVE-2021-26226 WRITEUP CRITICAL WRITEUP
CASAP Automated Enrollment System 1.0 - SQL Injection via edit_user.php id Parameter
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_user.php.
CVSS 9.8
CVE-2021-26227 WRITEUP MEDIUM WRITEUP
CASAP Automated Enrollment System 1.0 - Stored Cross-Site Scripting via Student Information Parameters
Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the student information parameters to edit_stud.php.
CVSS 6.1
CVE-2021-26228 WRITEUP CRITICAL WRITEUP
CASAP Automated Enrollment System 1.0 - SQL Injection via edit_class1.php id Parameter
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php.
CVSS 9.8
CVE-2021-26229 WRITEUP CRITICAL WRITEUP
CASAP Automated Enrollment System 1.0 - SQL Injection via edit_stud.php id Parameter
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_stud.php.
CVSS 9.8
CVE-2021-26230 WRITEUP MEDIUM WRITEUP
CASAP Automated Enrollment System 1.0 - Stored Cross-Site Scripting via User Information to save_user.php
Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the user information to save_user.php.
CVSS 6.1
CVE-2021-26231 WRITEUP CRITICAL WRITEUP
Fantastic Blog CMS 1.0 - SQL Injection via Category ID Parameter
SQL injection vulnerability in SourceCodester Fantastic Blog CMS v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to category.php.
CVSS 9.8