Mirabbas Ağalarov

60 exploits Active since Jul 2023
CVE-2023-53909 EXPLOITDB MEDIUM text WORKING POC
WBCE CMS 1.6.1 - XSS
WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file.
CVSS 5.4
CVE-2023-53906 EXPLOITDB MEDIUM text WORKING POC
projectSend r1605 - XSS
projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection.
CVSS 4.8
CVE-2023-53905 EXPLOITDB HIGH text WORKING POC
ProjectSend r1605 - Code Injection
ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.
CVSS 8.0
CVE-2023-53903 EXPLOITDB MEDIUM text WORKING POC
WebsiteBaker 2.13.3 - XSS
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
CVSS 5.4
CVE-2023-53902 EXPLOITDB MEDIUM text WORKING POC
WebsiteBaker 2.13.3 - Path Traversal
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory.
CVSS 6.5
CVE-2023-53901 EXPLOITDB MEDIUM text WORKING POC
WBCE CMS 1.6.1 - XSS
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
CVSS 5.4
CVE-2023-53899 EXPLOITDB CRITICAL text WORKING POC
PodcastGenerator 3.2.9 - SSRF
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
CVSS 9.8
CVE-2023-53898 EXPLOITDB MEDIUM text WORKING POC
Rukovoditel 3.4.1 - XSS
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
CVSS 5.4
CVE-2023-53897 EXPLOITDB MEDIUM text WORKING POC
Rukovoditel 3.4.1 - XSS
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
CVSS 5.4
CVE-2023-53892 EXPLOITDB HIGH text WORKING POC
Blackcat CMS 1.4 - RCE
Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's PHP file with a 'code' parameter.
CVSS 7.2
CVE-2023-53891 EXPLOITDB MEDIUM text WORKING POC
Blackcat CMS 1.4 - XSS
Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page.
CVSS 5.4
CVE-2023-53890 EXPLOITDB MEDIUM text WORKING POC
Perch CMS 3.2 - XSS
Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks.
CVSS 5.4
CVE-2023-53889 EXPLOITDB HIGH text WORKING POC
Perch CMS 3.2 - RCE
Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server.
CVSS 7.2
CVE-2023-53888 EXPLOITDB HIGH python WORKING POC
Zomplog 3.9 - RCE
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application.
CVSS 8.8
CVE-2023-53887 EXPLOITDB MEDIUM text WORKING POC
Zomplog 3.9 - XSS
Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.
CVSS 5.4
CVE-2023-53885 EXPLOITDB HIGH text WORKING POC
Webutler v3.2 - RCE
Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file.
CVSS 7.2
CVE-2023-53884 EXPLOITDB MEDIUM text WORKING POC
Webedition CMS v2.9.8.8 - XSS
Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users.
CVSS 5.4
CVE-2023-53883 EXPLOITDB HIGH text WORKING POC
Webedition CMS <2.9.8.8 - Authenticated RCE
Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server.
CVSS 7.2
CVE-2023-53868 EXPLOITDB HIGH text WORKING POC
Coppermine Gallery 1.6.25 - Authenticated RCE
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script.
CVSS 8.8
CVE-2023-36969 METASPLOIT HIGH ruby WORKING POC
CMS Made Simple <2.2.17 - RCE
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
CVSS 8.8
EIP-2026-113266 EXPLOITDB text WORKING POC
Webedition CMS v2.9.8.8 - Blind SSRF
EIP-2026-111818 EXPLOITDB text WORKING POC
Rukovoditel 3.3.1 - Remote Code Execution (RCE)
EIP-2026-111359 EXPLOITDB python WORKING POC
Pluck v4.7.18 - Remote Code Execution (RCE)
EIP-2026-111545 EXPLOITDB text WORKING POC
ProjeQtOr Project Management System v10.4.1 - Multiple XSS
EIP-2026-111544 EXPLOITDB text WORKING POC
ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE)