Bobby Cooke (boku)

16 exploits Active since Feb 2018
CVE-2020-23839 NOMISEC MEDIUM WORKING POC
GetSimple CMS <3.3.16 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.
11 stars
CVSS 6.1
CVE-2020-23831 WRITEUP MEDIUM WORKING POC
SourceCodester Stock Management System v1.0 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Stock Management System v1.0 allows remote attackers to harvest login credentials and session cookies when an unauthenticated victim clicks on a malicious URL and enters credentials.
CVSS 6.4
CVE-2020-24202 WRITEUP CRITICAL WORKING POC
Projects World House Rental v1.0 - RCE
File Upload component in Projects World House Rental v1.0 suffers from an arbitrary file upload vulnerability with regular users, which allows remote attackers to conduct code execution.
CVSS 9.8
CVE-2021-47870 EXPLOITDB MEDIUM python WORKING POC
GetSimple CMS My SMTP Contact Plugin 1.1.2 - XSS
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.
CVSS 5.4
CVE-2021-47860 EXPLOITDB MEDIUM python WORKING POC
GetSimple CMS Custom JS 0.1 - CSRF
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.
CVSS 5.3
CVE-2021-47830 EXPLOITDB MEDIUM python WORKING POC
GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.
CVSS 6.5
CVE-2021-47830 EXPLOITDB MEDIUM python WORKING POC
GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.
CVSS 6.5
CVE-2021-47778 EXPLOITDB HIGH python WORKING POC
GetSimple CMS My SMTP Contact Plugin <1.1.2 - Code Injection
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.
CVSS 7.2
CVE-2020-23837 EXPLOITDB HIGH text WORKING POC
GetSimple CMS Multi User 1.8.2 - CSRF
A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL.
CVSS 8.8
CVE-2020-23836 EXPLOITDB HIGH text WORKING POC
OSWA-INV <2020-08-10 - CSRF
A Cross-Site Request Forgery (CSRF) vulnerability in edit_user.php in OSWAPP Warehouse Inventory System (aka OSWA-INV) through 2020-08-10 allows remote attackers to change the admin's password after an authenticated admin visits a third-party site.
CVSS 8.8
CVE-2020-23834 EXPLOITDB HIGH text WORKING POC
Real Time Logic BarracudaDrive <6.5 - Privilege Escalation
Insecure Service File Permissions in the bd service in Real Time Logic BarracudaDrive v6.5 allow local attackers to escalate privileges to admin by replacing the %SYSTEMDRIVE%\bd\bd.exe file. When the computer next starts, the new bd.exe will be run as LocalSystem.
CVSS 8.8
CVE-2018-6892 EXPLOITDB CRITICAL python WORKING POC
Cloudme Sync < 1.10.9 - Memory Corruption
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
CVSS 9.8
CVE-2020-24193 EXPLOITDB CRITICAL text WORKING POC
Sourcecodetester Daily Tracker System 1.0 - SQL Injection
A SQL injection vulnerability in login in Sourcecodetester Daily Tracker System 1.0 allows unauthenticated user to execute authentication bypass with SQL injection via the email parameter.
CVSS 9.8
CVE-2020-23835 EXPLOITDB MEDIUM text WORKING POC
SourceCodester Tailor Management System v1.0 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Tailor Management System v1.0 allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing.
CVSS 6.4
EIP-2026-107658 EXPLOITDB text WORKING POC
House Rental 1.0 - 'keywords' SQL Injection
CVE-2020-23839 EXPLOITDB MEDIUM python WORKING POC
GetSimple CMS <3.3.16 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.
CVSS 6.1