Yuri

10 exploits Active since Feb 2009
CVE-2019-14329 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.6 - Stored Cross-Site Scripting via Create Task Parameter
An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code.
CVSS 6.1
CVE-2019-14330 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.6 - Stored Cross-Site Scripting in Create Case
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
CVSS 6.1
CVE-2019-14331 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.6 - Stored Cross-Site Scripting via User Creation
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
CVSS 6.1
CVE-2019-14546 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.9 - Stored Cross-Site Scripting via Email Signature
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
CVSS 5.4
CVE-2019-14547 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.9 - Stored Cross-Site Scripting via Attachment Filename
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).
CVSS 5.4
CVE-2019-14548 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.9 - Stored Cross-Site Scripting in Knowledge Base Article Body
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).
CVSS 5.4
CVE-2019-14549 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.9 - Stored Cross-Site Scripting in Entity Title and Breadcrumb
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.
CVSS 5.4
CVE-2019-14550 WRITEUP MEDIUM WRITEUP
EspoCRM < 5.6.9 - Stored Cross-Site Scripting via Edit Dashboard Feature
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus helping him steal victims' cookies (hence compromising their accounts).
CVSS 5.4
CVE-2008-6220 EXPLOITDB text WRITEUP
Simple Document Management System 1.1.4-1.1.5 - SQL Injection via Login Password Parameter
SQL injection vulnerability in login.php in Simple Document Management System (SDMS) 1.1.5 and 1.1.4, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the pass parameter.
CVE-2008-6236 EXPLOITDB text WRITEUP
Simple Document Management System 1.1.4-1.1.5 - SQL Injection via Login Parameter
SQL injection vulnerability in login.php in Simple Document Management System (SDMS) 1.1.5 and 1.1.4, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the login parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.