MarioTesoro

18 exploits Active since Oct 2024
CVE-2024-42210 GITHUB HIGH WRITEUP
HCL Unica Marketing Operations v12.1.8 and lower is affected by a Stored cross-site scripting (XSS) vulnerability
A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower.  Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
1 stars
CVSS 7.6
CVE-2024-54001 GITHUB MEDIUM WRITEUP
Kanboard - XSS
Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflected. The vulnerability can become xss if the user input is javascript code that bypass CSP. This vulnerability is fixed in 1.2.41.
CVSS 5.5
CVE-2025-9208 GITHUB MEDIUM WRITEUP
OpenText Web Site Management Server 16.7.X-16.8.1 - XSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data. This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.
CVSS 5.4
CVE-2025-36248 GITHUB MEDIUM WRITEUP
IBM Copy Services Manager < 6.3.14 - XSS
IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS 6.1
CVE-2025-13672 GITHUB MEDIUM WORKING POC
OpenText Web Site Management 16.7.0-16.7.1 - XSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1.
CVSS 5.4
CVE-2025-13671 GITHUB MEDIUM WORKING POC
OpenText Web Site Management Server 16.7.0-16.7.1 - CSRF
Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1.
CVSS 6.5
CVE-2025-13671 WRITEUP MEDIUM WRITEUP
OpenText Web Site Management Server 16.7.0-16.7.1 - CSRF
Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1.
CVSS 6.5
CVE-2025-13672 WRITEUP MEDIUM WRITEUP
OpenText Web Site Management 16.7.0-16.7.1 - XSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1.
CVSS 5.4
CVE-2024-46542 WRITEUP MEDIUM WORKING POC
Veritas / Arctera Data Insight <7.1.1 - SQL Injection
Veritas / Arctera Data Insight before 7.1.1 allows Application Administrators to conduct SQL injection attacks.
CVSS 6.5
CVE-2024-47854 WRITEUP MEDIUM WORKING POC
Veritas Data Insight <7.1 - XSS
An XSS vulnerability was discovered in Veritas Data Insight before 7.1. It allows a remote attacker to inject an arbitrary web script into an HTTP request that could reflect back to an authenticated user without sanitization if executed by that user.
CVSS 6.1
CVE-2024-48569 WRITEUP MEDIUM WRITEUP
Proactive Risk Manager <9.1.1.0 - XSS
Proactive Risk Manager version 9.1.1.0 is affected by multiple Cross-Site Scripting (XSS) vulnerabilities in the add/edit form fields, at the urls starting with the subpaths: /ar/config/configuation/ and /ar/config/risk-strategy-control/
CVSS 5.4
CVE-2024-54792 WRITEUP MEDIUM WRITEUP
ENG Spagobi - CSRF
A Cross-Site Request Forgery (CSRF) vulnerability has been found in SpagoBI v3.5.1 in the user administration panel. An authenticated user can lead another user into executing unwanted actions inside the application they are logged in, like adding, editing or deleting users.
CVSS 6.1
CVE-2024-54794 WRITEUP CRITICAL WRITEUP
ENG Spagobi - Command Injection
The script input feature of SpagoBI 3.5.1 allows arbitrary code execution.
CVSS 9.1
CVE-2024-54795 WRITEUP MEDIUM WRITEUP
ENG Spagobi - XSS
SpagoBI v3.5.1 contains multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the create/edit forms of the worksheet designer function.
CVSS 5.4
CVE-2024-56340 WRITEUP MEDIUM WRITEUP
IBM Cognos Analytics < 11.2.4 - Path Traversal
IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter.
CVSS 6.5
CVE-2025-56699 WRITEUP MEDIUM WRITEUP
Centrax Open PSIM <6.1 - SQL Injection
SQL injection vulnerability in the cmd component of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows an unauthenticated user to execute arbitrary SQL commands via the sender parameter.
CVSS 5.4
CVE-2025-56700 WRITEUP MEDIUM WRITEUP
Centrax Open PSIM <6.1 - SQL Injection
Boolean SQL injection vulnerability in the web app of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows a low level priviliged user that has access to the platform, to execute arbitrary SQL commands via the datafine parameter.
CVSS 5.4
CVE-2025-61224 WRITEUP MEDIUM WRITEUP
DokuWiki 2025-05-14a - XSS
Cross Site Scripting vulnerability in DokuWiki 2025-05-14a 'Librarian'[56.1] allows a remote attacker to execute arbitrary code via the q parameter
CVSS 6.5