Kishan Lal Choudhary

5 exploits Active since May 2020
CVE-2020-37073 EXPLOITDB HIGH text WORKING POC
Victor CMS 1.0 - Authenticated RCE
Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with a 'cmd' parameter.
CVSS 8.8
CVE-2020-37072 EXPLOITDB HIGH text WORKING POC
Victor CMS 1.0 - XSS
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.
CVSS 7.2
CVE-2020-13384 EXPLOITDB HIGH text WORKING POC
Monstra CMS 3.0.4 - Code Injection
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
CVSS 8.8
EIP-2026-113076 EXPLOITDB text WORKING POC
Victor CMS 1.0 - 'cat_id' SQL Injection
EIP-2026-111612 EXPLOITDB text WORKING POC
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting