Natan Maia Morette

17 exploits Active since Dec 2024
CVE-2025-9404 WRITEUP LOW WRITEUP
Scada-LTS < 2.7.8.1 - Stored Cross-Site Scripting via pointHierarchySLTS Title Parameter
A vulnerability was identified in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file /pointHierarchySLTS of the component Folder Handler. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS 2.4
CVE-2024-53470 WRITEUP MEDIUM WRITEUP
WeGIA 3.2.0 - Stored Cross-Site Scripting via Gateway Payment Configuration Parameters
Multiple stored cross-site scripting (XSS) vulnerabilities in the component /configuracao/gateway_pagamento.php of WeGIA v3.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the id or name parameter.
CVSS 6.1
CVE-2024-53471 WRITEUP MEDIUM WRITEUP
WeGIA 3.2.0 - Stored Cross-Site Scripting via id or name Parameter in meio_pagamento.php
Multiple stored cross-site scripting (XSS) vulnerabilities in the component /configuracao/meio_pagamento.php of WeGIA v3.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the id or name parameter.
CVSS 6.1
CVE-2024-53472 WRITEUP HIGH WRITEUP
WeGIA 3.2.0 - Cross-Site Request Forgery
WeGIA v3.2.0 was discovered to contain a Cross-Site Request Forgery (CSRF).
CVSS 8.8
CVE-2024-53473 WRITEUP HIGH WRITEUP
WeGIA 3.2.0 - Missing Authorization for Password Change
WeGIA 3.2.0 before 3998672 does not verify permission to change a password.
CVSS 7.5
CVE-2024-57031 WRITEUP CRITICAL WRITEUP
WeGIA < 3.2.0 - SQL Injection via id_funcionario Parameter
WeGIA < 3.2.0 is vulnerable to SQL Injection in /funcionario/remuneracao.php via the id_funcionario parameter.
CVSS 9.8
CVE-2024-57034 WRITEUP CRITICAL WRITEUP
WeGIA < 3.2.0 - SQL Injection via query_geracao_auto.php Query Parameter
WeGIA < 3.2.0 is vulnerable to SQL Injection in query_geracao_auto.php via the query parameter.
CVSS 9.8
CVE-2024-57035 WRITEUP CRITICAL WRITEUP
WeGIA v3.2.0 - SQL Injection via nextPage Parameter
WeGIA v3.2.0 is vulnerable to SQL Injection viathe nextPage parameter in /controle/control.php.
CVSS 9.8
CVE-2025-7728 WRITEUP LOW WRITEUP
Scada-LTS < 2.7.8.1 - Cross-Site Scripting via Username Parameter in users.shtm
A vulnerability classified as problematic has been found in Scada-LTS up to 2.7.8.1. Affected is an unknown function of the file users.shtm. The manipulation of the argument Username leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this issue and confirmed that it will be fixed in the upcoming release 2.8.0.
CVSS 3.5
CVE-2025-7729 WRITEUP LOW WRITEUP
Scada-LTS < 2.7.8.1 - Cross-Site Scripting via Username Parameter in usersProfiles.shtm
A vulnerability classified as problematic was found in Scada-LTS up to 2.7.8.1. Affected by this vulnerability is an unknown functionality of the file usersProfiles.shtm. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this issue and confirmed that it will be fixed in the upcoming release 2.8.0.
CVSS 3.5
CVE-2025-7870 WRITEUP LOW WRITEUP
Portabilis i-Diario 1.5.0 - Cross-Site Scripting via Anexo Parameter in justificativas-de-falta Endpoint
A vulnerability, which was classified as problematic, was found in Portabilis i-Diario 1.5.0. This affects an unknown part of the component justificativas-de-falta Endpoint. The manipulation of the argument Anexo leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.5
CVE-2025-7871 WRITEUP LOW WRITEUP
Portabilis i-Diario 1.5.0 - Cross-Site Scripting via filter[by_description] Parameter
A vulnerability has been found in Portabilis i-Diario 1.5.0 and classified as problematic. This vulnerability affects unknown code of the file /conteudos. The manipulation of the argument filter[by_description] leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.5
CVE-2025-8346 WRITEUP MEDIUM WRITEUP
Portabilis i-Educar 2.10 - Cross-Site Scripting via ref_cod_matricula Parameter
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.10. Affected by this issue is some unknown functionality of the file /educar_aluno_lst.php. The manipulation of the argument ref_cod_matricula with the input "><img%20src=x%20onerror=alert(%27CVE-Hunters%27)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.3
CVE-2025-8789 WRITEUP MEDIUM WRITEUP
Portabilis i-educar < 2.9.0 - Authorization Bypass via /module/Api/Diario Endpoint
A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.3
CVE-2025-8790 WRITEUP MEDIUM WRITEUP
Portabilis i-Educar < 2.9.0 - Improper Authorization via Pessoa API Endpoint
A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been declared as critical. This vulnerability affects unknown code of the file /module/Api/pessoa of the component API Endpoint. The manipulation of the argument ID leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.3
CVE-2025-9404 WRITEUP LOW WRITEUP
Scada-LTS < 2.7.8.1 - Stored Cross-Site Scripting via pointHierarchySLTS Title Parameter
A vulnerability was identified in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file /pointHierarchySLTS of the component Folder Handler. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS 2.4
CVE-2026-2064 WRITEUP LOW WRITEUP
Portabilis i-Educar < 2.10.0 - Cross-Site Scripting via File Parameter in User Data Page
A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.5