Piyush Patil

17 exploits Active since Mar 2021
CVE-2021-33394 WRITEUP MEDIUM WRITEUP
Cubecart 6.4.2 - Session Fixation via Session Cookie Injection
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
CVSS 5.4
CVE-2021-34243 WRITEUP MEDIUM WRITEUP
icehrm 29.0.0.OS - Stored Cross-Site Scripting via Malicious File Upload
A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file.
CVSS 5.4
CVE-2021-34244 WRITEUP HIGH WORKING POC
Icehrm - Cross-Site Request Forgery
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
CVSS 8.8
CVE-2021-35045 WRITEUP MEDIUM WRITEUP
icehrm 29.0.0.OS - Cross-Site Scripting via /app/ Endpoint Parameters
Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint.
CVSS 6.1
CVE-2021-35046 WRITEUP MEDIUM WRITEUP
Ice Hrm 29.0.0 - Info Disclosure
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.
CVSS 6.1
CVE-2021-29002 EXPLOITDB MEDIUM text WORKING POC
Plone CMS 5.2.3 - Stored Cross-Site Scripting via Site Control Panel Site Title Parameter
A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.
CVSS 5.4
CVE-2021-47872 EXPLOITDB HIGH text WRITEUP
SEO Panel < 4.9.0 - Authenticated Blind SQL Injection via order_col Parameter
SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter.
CVSS 7.1
CVE-2021-27969 EXPLOITDB MEDIUM text WORKING POC
Dolphin CMS 7.4.2 - Stored Cross-Site Scripting via Page Builder Width Parameter
Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter.
CVSS 4.8
CVE-2021-21337 EXPLOITDB MEDIUM text WORKING POC
Products.PluggableAuthService < 2.6.1 - Open Redirect via Login Form
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".
CVSS 5.7
CVE-2021-28417 EXPLOITDB MEDIUM text WORKING POC
Seo Panel 4.8.0 - Cross-Site Scripting via archive.php search_name Parameter
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter.
CVSS 4.8
CVE-2021-28420 EXPLOITDB MEDIUM text WORKING POC
Seo Panel 4.8.0 - Cross-Site Scripting via alerts.php from_time Parameter
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.
CVSS 4.8
CVE-2021-28418 EXPLOITDB MEDIUM text WORKING POC
Seo Panel 4.8.0 - Cross-Site Scripting via Category Parameter
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter.
CVSS 4.8
EIP-2026-107726 EXPLOITDB text WORKING POC
ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)
EIP-2026-107727 EXPLOITDB xml WORKING POC
ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)
CVE-2021-27520 EXPLOITDB MEDIUM text WORKING POC
FUDForum 3.1.0 - Cross-Site Scripting via Author Parameter
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter.
CVSS 6.1
CVE-2021-27519 EXPLOITDB MEDIUM text WRITEUP
FUDForum 3.1.0 - Cross-Site Scripting via Index.php Srch Parameter
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter.
CVSS 6.1
CVE-2021-27308 EXPLOITDB MEDIUM text WRITEUP
4images 1.8 - Cross-Site Scripting via Redirect Parameter
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.
CVSS 4.8