J3rryBl4nks

20 exploits Active since Jan 2020
CVE-2020-8425 WRITEUP MEDIUM WORKING POC
Cups Easy (Purchase & Inventory) 1.0 - CSRF
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php.
CVSS 6.5
CVE-2020-8505 EXPLOITDB MEDIUM WORKING POC
arox School Management Software PHP/mySQL < 2019-03-14 - Cross-Site Request Forgery via office_admin/?action=deleteadmin
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user.
CVSS 6.5
CVE-2020-8424 EXPLOITDB HIGH WORKING POC
Cups Easy (Purchase & Inventory) 1.0 - CSRF
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php.
CVSS 8.8
CVE-2020-10057 WRITEUP HIGH WRITEUP
GeniXCMS 1.1.7 - Cross-Site Request Forgery via Unvalidated Token
GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broken access control. This issue exists because of an incomplete fix for CVE-2015-2680, in which "token" is used as a CSRF protection mechanism, but without validation that "token" is associated with an administrative user.
CVSS 8.8
CVE-2020-8424 WRITEUP HIGH WORKING POC
Cups Easy (Purchase & Inventory) 1.0 - CSRF
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php.
CVSS 8.8
CVE-2020-9266 WRITEUP MEDIUM WORKING POC
SOPlanning 1.45 - Cross-Site Request Forgery via xajax_server.php
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php.
CVSS 6.5
CVE-2020-9267 WRITEUP MEDIUM WORKING POC
Soplanning - Cross-Site Request Forgery
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php.
CVSS 6.5
CVE-2020-9268 WRITEUP HIGH WRITEUP
SoPlanning 1.45 - SQL Injection via OrderBy Clause
SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring.
CVSS 7.5
CVE-2020-9270 WRITEUP HIGH WORKING POC
icehrm 26.2.0 - Cross-Site Request Forgery via service.php
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php.
CVSS 8.8
CVE-2020-9271 WRITEUP MEDIUM WORKING POC
icehrm 26.2.0 - Cross-Site Request Forgery via service.php
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php.
CVSS 6.5
CVE-2020-9340 WRITEUP HIGH WRITEUP
fauzantrif eLection 2.0 - SQL Injection via admin/ajax/op_kandidat.php id Parameter
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
CVSS 7.2
CVE-2020-37154 EXPLOITDB HIGH text WRITEUP
eLection 2.0 - Authenticated SQL Injection
eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory.
CVSS 7.1
CVE-2020-37151 EXPLOITDB HIGH text WORKING POC
phpMyChat Plus 1.98 - SQL Injection
phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field.
CVSS 8.2
EIP-2026-112347 EXPLOITDB text WORKING POC
SOPlanning 1.45 - 'by' SQL Injection
EIP-2026-112349 EXPLOITDB text WORKING POC
SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
EIP-2026-112348 EXPLOITDB text WORKING POC
SOPlanning 1.45 - 'users' SQL Injection
CVE-2020-8504 EXPLOITDB MEDIUM text WORKING POC
arox School Management Software PHP/mySQL < 2019-03-14 - Cross-Site Request Forgery via Add Admin Action
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user.
CVSS 6.5
EIP-2026-107725 EXPLOITDB text WORKING POC
Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
CVE-2020-8425 EXPLOITDB MEDIUM text WORKING POC
Cups Easy (Purchase & Inventory) 1.0 - CSRF
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php.
CVSS 6.5
EIP-2026-105704 EXPLOITDB text WORKING POC
CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)