ahrixia

14 exploits Active since Mar 2022
CVE-2022-0847 NOMISEC HIGH WORKING POC
Dirty Pipe Local Privilege Escalation via CVE-2022-0847
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
21 stars
CVSS 7.8
CVE-2023-50072 NOMISEC MEDIUM WORKING POC
OpenKM 7.1.40 - Authenticated Stored Cross-Site Scripting via File Note Upload
A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS.
4 stars
CVSS 5.4
CVE-2023-30256 NOMISEC MEDIUM WORKING POC
QloApps 1.5.2 - Cross-Site Scripting via AuthController Parameters
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
3 stars
CVSS 6.1
CVE-2023-43323 NOMISEC MEDIUM WORKING POC
mooSocial 3.1.8 - Server-Side Request Forgery via Post Function Parameters
mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple - messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].
1 stars
CVSS 6.5
CVE-2024-57430 NOMISEC CRITICAL WORKING POC
PHPJabbers Cinema Booking System 2.0 - SQL Injection via pjActionGetUser Column Parameter
An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting this flaw can lead to unauthorized information disclosure, privilege escalation, or database manipulation.
CVSS 9.8
CVE-2024-57427 NOMISEC MEDIUM WORKING POC
PHPJabbers Cinema Booking System 2.0 - Reflected Cross-Site Scripting
PHPJabbers Cinema Booking System v2.0 is vulnerable to reflected cross-site scripting (XSS). Multiple endpoints improperly handle user input, allowing malicious scripts to execute in a victim’s browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks.
CVSS 6.1
CVE-2024-57428 NOMISEC CRITICAL WORKING POC
PHPJabbers Cinema Booking System v2.0 - Stored Cross-Site Scripting via File Upload and Seat Configuration Fields
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.
CVSS 9.3
CVE-2024-57429 NOMISEC MEDIUM WORKING POC
PHPJabbers Cinema Booking System 2.0 - Cross-Site Request Forgery in pjActionUpdate
A cross-site request forgery (CSRF) vulnerability in the pjActionUpdate function of PHPJabbers Cinema Booking System v2.0 allows remote attackers to escalate privileges by tricking an authenticated admin into submitting an unauthorized request.
CVSS 5.4
CVE-2023-45542 NOMISEC MEDIUM WORKING POC
mooSocial 3.1.8 - Cross-Site Scripting via Search q Parameter
Cross Site Scripting vulnerability in mooSocial 3.1.8 allows a remote attacker to obtain sensitive information via a crafted script to the q parameter in the Search function.
CVSS 6.1
CVE-2023-43326 NOMISEC MEDIUM WORKING POC
mooSocial 3.1.8 - Reflected Cross-Site Scripting via Crafted URL
A reflected cross-site scripting (XSS) vulnerability exisits in multiple url of mooSocial v3.1.8 allows attackers to steal user's session cookies and impersonate their account via a crafted URL.
CVSS 6.1
CVE-2023-43325 NOMISEC MEDIUM WORKING POC
mooSocial 3.1.8 - Reflected Cross-Site Scripting via data[redirect_url] Parameter
A reflected cross-site scripting (XSS) vulnerability in the data[redirect_url] parameter of mooSocial v3.1.8 allows attackers to steal user's session cookies and impersonate their account via a crafted URL.
CVSS 6.1
CVE-2023-44811 NOMISEC HIGH WORKING POC
MooSocial 3.1.8 - Cross-Site Request Forgery via Admin Password Change Function
Cross Site Request Forgery (CSRF) vulnerability in MooSocial v.3.1.8 allows a remote attacker to execute arbitrary code and obtain sensitive information via the admin Password Change Function.
CVSS 8.8
CVE-2023-44812 NOMISEC MEDIUM WORKING POC
mooSocial 3.1.8 - Stored Cross-Site Scripting via admin_redirect_url Parameter
Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the admin_redirect_url parameter of the user login function.
CVSS 6.1
CVE-2023-44813 NOMISEC MEDIUM WORKING POC
mooSocial 3.1.8 - Stored Cross-Site Scripting via Invite Friend Login Mode Parameter
Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function.
CVSS 6.1