Blakduk

12 exploits Active since Jan 2023
CVE-2021-37498 WRITEUP MEDIUM WRITEUP
Reprise License Manager < 17.0 - Server-Side Request Forgery via License Activation actserver Parameter
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
CVSS 6.5
CVE-2021-37499 WRITEUP MEDIUM WRITEUP
Reprise License Manager < 17.0 - HTTP Header Injection via Password Parameter in View License Result
CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.
CVSS 6.5
CVE-2021-37500 WRITEUP HIGH WRITEUP
Reprise License Manager < 16.0 - Path Traversal and Arbitrary File Write via Diagnostics Function
Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.
CVSS 8.1
CVE-2023-24322 WRITEUP MEDIUM WRITEUP
mojoportal 2.7.0.0 - Reflected Cross-Site Scripting via FileDialog.aspx Parameters
A reflected cross-site scripting (XSS) vulnerability in the FileDialog.aspx component of mojoPortal v2.7.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters.
CVSS 6.1
CVE-2023-24323 WRITEUP HIGH WRITEUP
mojoportal v2.7 - Authenticated XML External Entity Injection
Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.
CVSS 8.8
CVE-2023-24684 WRITEUP HIGH WRITEUP
ChurchCRM < 4.5.3 - SQL Injection via EID Parameter at GetText.php
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php.
CVSS 7.2
CVE-2023-24685 WRITEUP HIGH WRITEUP
ChurchCRM < 4.5.3 - SQL Injection via Event Attendance Reports Event Parameter
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module.
CVSS 7.2
CVE-2023-24686 WRITEUP MEDIUM WRITEUP
ChurchCRM < 4.5.3 - Remote Code Execution via CSV Import
An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file.
CVSS 4.8
CVE-2023-24687 WRITEUP MEDIUM WRITEUP
mojoportal 2.7.0.0 - Stored Cross-Site Scripting via Company Info Settings txtCompanyName Parameter
Mojoportal v2.7.0.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Company Info Settings component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtCompanyName parameter.
CVSS 5.4
CVE-2023-24688 WRITEUP MEDIUM WRITEUP
mojoportal 2.7.0.0 - Unauthenticated User Registration Bypass
An issue in Mojoportal v2.7.0.0 allows an unauthenticated attacker to register a new user even if the Allow User Registrations feature is disabled.
CVSS 5.3
CVE-2023-24689 WRITEUP MEDIUM WRITEUP
Mojoportal <2.7.0.0 - Info Disclosure
An issue in Mojoportal v2.7.0.0 and below allows an authenticated attacker to list all css files inside the root path of the webserver via manipulation of the "s" parameter in /DesignTools/ManageSkin.aspx
CVSS 4.3
CVE-2023-24690 WRITEUP MEDIUM WRITEUP
ChurchCRM < 4.5.3 - Stored Cross-Site Scripting via Family Registration Endpoint
ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.
CVSS 5.4