CodeSecLab

28 exploits Active since Mar 2017
CVE-2021-44567 EXPLOITDB CRITICAL text WORKING POC
Rosariosis < 7.6.1 - SQL Injection
An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.
CVSS 9.8
CVE-2020-15718 EXPLOITDB MEDIUM text WORKING POC
Rosariosis - XSS
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php script. A remote attacker could exploit this vulnerability using the include_inactive parameter in a crafted URL.
CVSS 6.1
CVE-2020-15716 EXPLOITDB MEDIUM text WORKING POC
Rosariosis - XSS
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.
CVSS 6.1
CVE-2023-33362 EXPLOITDB CRITICAL text WORKING POC
Piwigo 13.6.0 - SQL Injection
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
CVSS 9.8
CVE-2020-20969 EXPLOITDB HIGH text WORKING POC
Pluck - Unrestricted File Upload
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
CVSS 7.2
CVE-2018-11736 EXPLOITDB CRITICAL text WORKING POC
Pluck < 4.7.7 - Unrestricted File Upload
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.
CVSS 9.8
CVE-2023-24657 EXPLOITDB MEDIUM text WORKING POC
phpipam <1.6 - XSS
phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php.
CVSS 6.1
CVE-2019-16693 EXPLOITDB CRITICAL text WORKING POC
phpIPAM 1.4 - SQL Injection
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
CVSS 9.8
CVE-2023-1211 EXPLOITDB HIGH text WORKING POC
Phpipam < 1.5.2 - SQL Injection
SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.
CVSS 7.2
CVE-2024-41358 EXPLOITDB MEDIUM text WORKING POC
Phpipam - XSS
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php.
CVSS 6.1
CVE-2024-41357 EXPLOITDB HIGH text WORKING POC
Phpipam - XSS
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php.
CVSS 7.1
CVE-2020-5504 EXPLOITDB HIGH text WORKING POC
phpMyAdmin <4.9.4-5.0.1 - SQL Injection
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
CVSS 8.8
CVE-2017-15735 EXPLOITDB HIGH text WORKING POC
Phpmyfaq < 2.9.8 - CSRF
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary.
CVSS 8.8
CVE-2017-15808 EXPLOITDB HIGH text WORKING POC
Phpmyfaq < 2.9.8 - CSRF
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
CVSS 8.8
CVE-2017-15734 EXPLOITDB HIGH text WORKING POC
Phpmyfaq < 2.9.8 - CSRF
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php.
CVSS 8.8
CVE-2022-4407 EXPLOITDB MEDIUM text WORKING POC
Phpmyfaq < 3.1.9 - XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
CVSS 6.1
CVE-2019-25024 EXPLOITDB CRITICAL text WORKING POC
OpenRepeater <2.2 - Command Injection
OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.
CVSS 9.8
CVE-2021-40617 EXPLOITDB CRITICAL text WORKING POC
openSIS CE <8.0 - SQL Injection
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
CVSS 9.8
CVE-2018-25080 EXPLOITDB LOW text WORKING POC
MobileDetect <2.8.31 - XSS
A vulnerability, which was classified as problematic, has been found in MobileDetect 2.8.31. This issue affects the function initLayoutType of the file examples/session_example.php of the component Example. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.8.32 is able to address this issue. The identifier of the patch is 31818a441b095bdc4838602dbb17b8377d1e5cce. It is recommended to upgrade the affected component. The identifier VDB-220061 was assigned to this vulnerability.
CVSS 3.5
CVE-2018-1000638 EXPLOITDB MEDIUM text WORKING POC
MiniCMS 1.1 - XSS
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection.
CVSS 6.1
CVE-2021-28976 EXPLOITDB HIGH text WORKING POC
Get-simple Getsimplecms < 3.3.15 - Unrestricted File Upload
Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.
CVSS 7.2
CVE-2020-18662 EXPLOITDB CRITICAL text WORKING POC
Gnuboard5 <=5.3.2.8 - SQL Injection
SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php.
CVSS 9.8
CVE-2019-13961 EXPLOITDB HIGH text WORKING POC
flatCore <1.5 - CSRF
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
CVSS 8.8
CVE-2019-10652 EXPLOITDB HIGH text WORKING POC
Flatcore - Unrestricted File Upload
An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature.
CVSS 7.2
CVE-2022-0088 EXPLOITDB HIGH text WORKING POC
Yourls < 1.8.3 - CSRF
Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
CVSS 7.4