Ishaq Mohammed

11 exploits Active since Sep 2017
CVE-2017-18049 EXPLOITDB MEDIUM text WORKING POC
Silverstripe < 3.5.5 - Injection
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
CVSS 5.5
CVE-2017-18048 EXPLOITDB HIGH text WORKING POC
Monstra - Unrestricted File Upload
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.
CVSS 8.8
CVE-2017-18048 METASPLOIT HIGH ruby WORKING POC
Monstra - Unrestricted File Upload
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.
CVSS 8.8
CVE-2017-14618 EXPLOITDB MEDIUM text WORKING POC
phpMyFAQ <2.9.8 - XSS
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
CVSS 4.8
CVE-2017-14619 EXPLOITDB MEDIUM text WRITEUP
phpMyFAQ <2.9.8 - XSS
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
CVSS 6.1
CVE-2017-15284 EXPLOITDB MEDIUM text WRITEUP
October < 1.0.426 - XSS
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
CVSS 5.4
CVE-2017-16807 EXPLOITDB MEDIUM text WRITEUP
Kirby Panel <2.3.3, <2.4.2, <2.5.7 - XSS
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
CVSS 5.4
CVE-2017-15879 EXPLOITDB HIGH text WORKING POC
Keystone < 4.0.0 - Improper Input Validation
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
CVSS 8.8
CVE-2017-15878 EXPLOITDB MEDIUM text WORKING POC
Keystone < 4.0.0 - XSS
A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.
CVSS 6.1
CVE-2019-10349 EXPLOITDB MEDIUM text WRITEUP
Jenkins Dependency Graph Viewer < 0.13 - XSS
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
CVSS 5.4
CVE-2019-6804 EXPLOITDB MEDIUM text WRITEUP
Pagerduty Rundeck < 3.0.13 - XSS
An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascripts/workflowStepEditorKO.js and views/execution/_wfitemEdit.gsp.
CVSS 6.1