Javier Olmedo

19 exploits Active since Feb 2018
CVE-2018-6396 NOMISEC CRITICAL WORKING POC
Google Map Landkarten <= 4.2.3 - SQL Injection via cid/id/map Parameters
SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.
8 stars
CVSS 9.8
CVE-2018-6389 NOMISEC HIGH WORKING POC
WordPress < 4.9.2 - Unauthenticated Denial of Service via Repeated JavaScript File Loading
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
2 stars
CVSS 7.5
CVE-2018-15571 EXPLOITDB HIGH text WORKING POC
Export Users to CSV < 1.1.1 - CSV Injection
The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.
CVSS 8.6
CVE-2018-18922 EXPLOITDB CRITICAL text WORKING POC
AbiSoft Ticketly 1.0 - Unauthenticated Privilege Escalation via add_user Action
add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request.
CVSS 9.8
CVE-2019-19031 EXPLOITDB HIGH text WORKING POC
Easy XML Editor <1.7.8 - XML External Entity Injection
Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.
CVSS 8.1
EIP-2026-119421 EXPLOITDB text WORKING POC
Sentrifugo HRMS 3.2 - 'deptid' SQL Injection
CVE-2019-19032 EXPLOITDB HIGH text WORKING POC
XMLBlueprint <16.191112 - XML External Entity Injection
XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload.
CVSS 8.1
CVE-2018-13832 EXPLOITDB MEDIUM text WORKING POC
all_in_one_favicon < 4.6 - Persistent Cross-Site Scripting via Favicon Text Fields
Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text.
CVSS 4.8
CVE-2019-15092 EXPLOITDB HIGH text WORKING POC
Webtoffee WordPress Users & WooCommerce Customers Import Export <1....
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
CVSS 7.3
EIP-2026-112671 EXPLOITDB text WORKING POC
Ticketly 1.0 - 'name' SQL Injection
CVE-2018-18923 EXPLOITDB CRITICAL text WORKING POC
AbiSoft Ticketly 1.0 - SQL Injection via Multiple Parameters
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php.
CVSS 9.8
CVE-2019-7400 EXPLOITDB MEDIUM text WORKING POC
Rukovoditel < 2.4.1 - Cross-Site Scripting
Rukovoditel before 2.4.1 allows XSS.
CVSS 6.1
EIP-2026-110761 EXPLOITDB text WORKING POC
PHP Server Monitor 3.3.1 - Cross-Site Request Forgery
CVE-2018-15917 EXPLOITDB MEDIUM text WORKING POC
Jorani 0.6.5 - Stored Cross-Site Scripting via Language Parameter
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
CVSS 5.4
CVE-2018-15918 EXPLOITDB MEDIUM text WORKING POC
Jorani 0.6.5 - SQL Injection via Startdate or Enddate Parameter
An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate or enddate parameter to leaves/validate.
CVSS 5.4
CVE-2018-19828 EXPLOITDB MEDIUM text WORKING POC
Artica Integria IMS 5.0.83 - Cross-Site Scripting via search_string Parameter
Artica Integria IMS 5.0.83 has XSS via the search_string parameter.
CVSS 6.1
CVE-2018-19829 EXPLOITDB MEDIUM html WORKING POC
Artica Integria IMS 5.0.83 - Cross-Site Request Forgery in User List Management
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVSS 6.5
EIP-2026-106935 EXPLOITDB python WORKING POC
Event Registration System with QR Code 1.0 - Authentication Bypass
CVE-2020-9038 EXPLOITDB MEDIUM text WORKING POC
Joplin < 1.0.184 - Stored Cross-Site Scripting and Arbitrary File Read
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
CVSS 5.4