Provensec LLC - Security Researcher - Exploit Intelligence Platform

CVE-2017-8382 NOMISEC MEDIUM WRITEUP

admidio 3.2.8 - Cross-Site Request Forgery in Members Function Module

admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

3 stars

CVSS 4.5

View Code

CVE-2017-9609 NOMISEC MEDIUM WRITEUP

Blackcat CMS 1.2 - Authenticated Cross-Site Scripting via map_language Parameter

Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.

2 stars

CVSS 5.4

View Code

CVE-2017-11611 NOMISEC MEDIUM WRITEUP

Wolf CMS 0.8.3.1 - Stored Cross-Site Scripting via File and Directory Name in File Manager Plugin

Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of the file name in a "create-file-popup" action, and the directory name in a "create-directory-popup" action, in the HTTP POST method to the "/plugin/file_manager/" script (aka an /admin/plugin/file_manager/browse// URI).

2 stars

CVSS 5.4

View Code

CVE-2017-7188 NOMISEC MEDIUM WRITEUP

Zurmo < 3.1.1 - Cross-Site Scripting via Base64-Encoded SCRIPT Element in returnUrl Parameter

Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.

2 stars

CVSS 5.4

View Code