BuffaloWill

4 exploits Active since Jan 2020
CVE-2019-19855 WRITEUP MEDIUM WRITEUP
Serpico 1.3.0 - Stored Cross-Site Scripting via admin/list_user auth_type Parameter
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter.
CVSS 4.8
CVE-2019-19856 WRITEUP MEDIUM WRITEUP
Serpico 1.3.0 - Stored Cross-Site Scripting via User Type Parameter
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter.
CVSS 4.8
CVE-2019-19858 WRITEUP MEDIUM WRITEUP
Serpico 1.3.0 - Stored Cross-Site Scripting via Author Parameter
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter.
CVSS 4.8
CVE-2020-12687 WRITEUP MEDIUM WRITEUP
Serpico < 1.3.3 - Authenticated Exposure of Resource to Wrong Sphere via Admin Attachments Backup Endpoint
An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database.
CVSS 6.5