Mufaddal Masalawala

7 exploits Active since Oct 2020
CVE-2020-36962 EXPLOITDB CRITICAL text WORKING POC
Tendenci 12.3.1 - CSV Formula Injection via Contact Form Message Field
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
CVSS 9.8
CVE-2020-15253 EXPLOITDB HIGH text WORKING POC
grocy < 2.7.1 - Authenticated Stored Cross-Site Scripting via Shopping List Deletion
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
CVSS 7.3
CVE-2020-15255 EXPLOITDB HIGH text WORKING POC
Anuko Time Tracker <1.19.23.5325 - Info Disclosure
In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325.
CVSS 8.7
CVE-2020-27422 EXPLOITDB CRITICAL text WRITEUP
Anuko Time Tracker <1.19.23.5311 - Info Disclosure
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
CVSS 9.8
CVE-2020-27423 EXPLOITDB HIGH text WRITEUP
Anuko Time Tracker <1.19.23.5311 - DoS
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
CVSS 7.5
EIP-2026-104198 EXPLOITDB text WORKING POC
ChurchCRM 4.2.0 - CSV/Formula Injection
EIP-2026-104199 EXPLOITDB text WORKING POC
ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)