Nathu Nandwani

14 exploits Active since Nov 2014
CVE-2022-28598 NOMISEC MEDIUM WRITEUP
Frappe ERPNext <12.29.0 - XSS
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVSS 6.1
CVE-2019-14941 WRITEUP HIGH WORKING POC
Shareit < 4.0.6.177 - Resource Allocation Without Limits
SHAREit through 4.0.6.177 does not check the body length from the received packet header (which is used to allocate memory for the next set of data). This could lead to a system denial of service due to uncontrolled memory allocation.
CVSS 7.5
CVE-2019-15234 WRITEUP HIGH WORKING POC
Shareit < 4.0.6.177 - Resource Allocation Without Limits
SHAREit through 4.0.6.177 does not check the full message length from the received packet header (which is used to allocate memory for the next set of data). This could lead to a system denial of service due to uncontrolled memory allocation. This is different from CVE-2019-14941.
CVSS 7.5
CVE-2024-41304 WRITEUP MEDIUM WRITEUP
Wondercms - Code Injection
An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file.
CVSS 5.4
CVE-2024-41305 WRITEUP MEDIUM WRITEUP
Wondercms - SSRF
A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
CVSS 4.7
EIP-2026-116853 EXPLOITDB python WORKING POC
Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure
CVE-2017-17849 EXPLOITDB CRITICAL python WORKING POC
Getgosoft Getgo Download Manager < 5.3.0.2712 - Memory Corruption
A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response.
CVSS 9.8
CVE-2018-11512 EXPLOITDB MEDIUM text WORKING POC
Creatiwity Witycms - XSS
Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.
CVSS 4.8
CVE-2018-11332 EXPLOITDB MEDIUM text WORKING POC
Clippercms - XSS
Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php file.
CVSS 4.8
CVE-2022-28598 EXPLOITDB MEDIUM text WRITEUP
Frappe ERPNext <12.29.0 - XSS
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVSS 6.1
CVE-2018-7355 EXPLOITDB MEDIUM text WORKING POC
ZTE Mf65 Firmware < 1.0.0b05 - XSS
All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices.
CVSS 6.1
EIP-2026-101828 EXPLOITDB python WORKING POC
Lenovo R2105 - Cross-Site Request Forgery (Command Execution)
CVE-2015-5996 EXPLOITDB HIGH python WORKING POC
Mediabridge Medialink MWN-WAPR300N <5.07.50 - CSRF
Cross-site request forgery (CSRF) vulnerability on Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 allows remote attackers to hijack the authentication of arbitrary users.
CVSS 8.8
CVE-2014-5395 EXPLOITDB python WORKING POC
Huawei E5180s-22 Firmware - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users for requests that (1) modify configurations, (2) send SMS messages, or have other unspecified impact via unknown vectors.