Mirabbas Ağalarov

61 exploits Active since Jul 2023
CVE-2023-53910 EXPLOITDB MEDIUM text WORKING POC
WBCE CMS 1.6.1 - Authenticated Stored Cross-Site Scripting via Page Content
WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script content in the content parameter to execute JavaScript when users view the affected page.
CVSS 5.4
CVE-2023-53909 EXPLOITDB MEDIUM text WORKING POC
WBCE CMS 1.6.1 - Authenticated Stored Cross-Site Scripting via SVG File Upload
WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file.
CVSS 5.4
CVE-2023-53906 EXPLOITDB MEDIUM text WORKING POC
projectSend r1605 - Authenticated Stored Cross-Site Scripting via Custom Assets Page
projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection.
CVSS 4.8
CVE-2023-53905 EXPLOITDB HIGH text WORKING POC
ProjectSend r1605 - Authenticated CSV Injection via User Profile Name Field
ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.
CVSS 8.0
CVE-2023-53903 EXPLOITDB MEDIUM text WORKING POC
WebsiteBaker 2.13.3 - Authenticated Stored Cross-Site Scripting via SVG File Upload
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
CVSS 5.4
CVE-2023-53902 EXPLOITDB MEDIUM text WORKING POC
WebsiteBaker 2.13.3 - Path Traversal
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory.
CVSS 6.5
CVE-2023-53901 EXPLOITDB MEDIUM text WORKING POC
WBCE CMS 1.6.1 - Stored Cross-Site Scripting via CSS Keylogging
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
CVSS 5.4
CVE-2023-53899 EXPLOITDB CRITICAL text WORKING POC
PodcastGenerator 3.2.9 - Server-Side Request Forgery via Episode Upload Shortdesc Parameter
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
CVSS 9.8
CVE-2023-53898 EXPLOITDB MEDIUM text WORKING POC
Rukovoditel 3.4.1 - Authenticated Stored Cross-Site Scripting via Application Copyright Text
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
CVSS 5.4
CVE-2023-53897 EXPLOITDB MEDIUM text WORKING POC
Rukovoditel 3.4.1 - Authenticated Stored Cross-Site Scripting via Project Task Comments
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
CVSS 5.4
CVE-2023-53892 EXPLOITDB HIGH text WORKING POC
Blackcat CMS 1.4 - Authenticated Remote Code Execution via jQuery Plugin Manager
Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's PHP file with a 'code' parameter.
CVSS 7.2
CVE-2023-53891 EXPLOITDB MEDIUM text WORKING POC
Blackcat CMS 1.4 - Authenticated Stored Cross-Site Scripting via Page Modification
Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page.
CVSS 5.4
CVE-2023-53890 EXPLOITDB MEDIUM text WORKING POC
Perch CMS 3.2 - Authenticated Stored Cross-Site Scripting via SVG File Upload
Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks.
CVSS 5.4
CVE-2023-53889 EXPLOITDB HIGH text WORKING POC
Perch CMS 3.2 - Authenticated Remote Code Execution via Arbitrary PHP File Upload
Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server.
CVSS 7.2
CVE-2023-53888 EXPLOITDB HIGH python WORKING POC
Zomplog 3.9 - Remote Code Execution
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload files (such as JavaScript) and rename them to .php via the saveE and rename actions, then execute the resulting PHP payload to run system commands.
CVSS 8.8
CVE-2023-53887 EXPLOITDB MEDIUM text WORKING POC
Zomplog 3.9 - Authenticated Stored Cross-Site Scripting via Page Creation
Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.
CVSS 5.4
CVE-2023-53885 EXPLOITDB HIGH text WORKING POC
Webutler 3.2 - Authenticated Remote Code Execution via PHAR File Upload
Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file.
CVSS 7.2
CVE-2023-53884 EXPLOITDB MEDIUM text WORKING POC
Webedition CMS 2.9.8.8 - Authenticated Stored Cross-Site Scripting via SVG Upload
Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users.
CVSS 5.4
CVE-2023-53883 EXPLOITDB HIGH text WORKING POC
Webedition CMS <2.9.8.8 - Authenticated RCE
Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server.
CVSS 7.2
CVE-2023-53868 EXPLOITDB HIGH text WORKING POC
Coppermine Gallery 1.6.25 - Authenticated RCE
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script.
CVSS 8.8
CVE-2023-36969 METASPLOIT HIGH ruby WORKING POC
CMS Made Simple 2.2.17 - Authenticated Remote Code Execution via File Upload
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
CVSS 8.8
EIP-2026-113266 EXPLOITDB text WORKING POC
Webedition CMS v2.9.8.8 - Blind SSRF
EIP-2026-111818 EXPLOITDB text WORKING POC
Rukovoditel 3.3.1 - Remote Code Execution (RCE)
EIP-2026-111359 EXPLOITDB python WORKING POC
Pluck v4.7.18 - Remote Code Execution (RCE)
EIP-2026-111545 EXPLOITDB text WORKING POC
ProjeQtOr Project Management System v10.4.1 - Multiple XSS