geraldoalcantara

34 exploits Active since Dec 2023
CVE-2023-50071 NOMISEC HIGH WRITEUP
Sourcecodester Customer Support System 1.0 - SQL Injection via Department ID or Name Parameter
Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_department via id or name.
3 stars
CVSS 8.8
CVE-2023-51800 NOMISEC MEDIUM WORKING POC
School Fees Management System v.1.0 - XSS
Cross Site Scripting (XSS) vulnerability in School Fees Management System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the main_settings component in the phone, address, bank, acc_name, acc_number parameters, new_class and cname parameter, add_new_parent function in the name email parameters, new_term function in the tname parameter, and the edit_student function in the name parameter.
2 stars
CVSS 5.4
CVE-2023-50070 NOMISEC HIGH WORKING POC
Sourcecodester Customer Support System 1.0 - SQL Injection via department_id, customer_id, and subject Parameters
Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket via department_id, customer_id, and subject.
2 stars
CVSS 8.8
CVE-2023-51801 NOMISEC CRITICAL WRITEUP
Simple Student Attendance System <1.0 - RCE
SQL Injection vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the id parameter in the student_form.php and the class_form.php pages.
1 stars
CVSS 9.8
CVE-2023-51802 NOMISEC MEDIUM WRITEUP
Simple Student Attendance System <1.0 - XSS
Cross Site Scripting (XSS) vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the page or class_month parameter in the /php-attendance/attendance_report component.
1 stars
CVSS 6.1
CVE-2023-49989 NOMISEC CRITICAL WORKING POC
Hotel Booking Management v1.0 - SQL Injection via update.php id Parameter
Hotel Booking Management v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at update.php.
1 stars
CVSS 9.8
CVE-2023-49547 NOMISEC CRITICAL WRITEUP
Customer Support System v1 - SQL Injection via Username Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.
CVSS 9.8
CVE-2023-49548 NOMISEC HIGH WORKING POC
Customer Support System v1 - SQL Injection via lastname Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.
CVSS 8.8
CVE-2023-49968 NOMISEC HIGH WRITEUP
Customer Support System v1 - SQL Injection via id Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.
CVSS 7.3
CVE-2023-49969 NOMISEC MEDIUM WORKING POC
Customer Support System v1 - SQL Injection via id Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.
CVSS 4.3
CVE-2023-49970 NOMISEC CRITICAL WRITEUP
Customer Support System v1 - SQL Injection via Subject Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.
CVSS 9.8
CVE-2023-49971 NOMISEC MEDIUM WRITEUP
Customer Support System 1 - Stored Cross-Site Scripting via Firstname Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list.
CVSS 6.1
CVE-2023-49973 NOMISEC MEDIUM WRITEUP
Customer Support System v1 - Cross-Site Scripting via Email Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list.
CVSS 6.1
CVE-2023-49974 NOMISEC MEDIUM WRITEUP
Customer Support System 1 - Stored Cross-Site Scripting via Contact Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.
CVSS 6.1
CVE-2023-49976 NOMISEC MEDIUM WRITEUP
Customer Support System 1 - Stored Cross-Site Scripting via New Ticket Subject Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.
CVSS 5.4
CVE-2023-49977 NOMISEC MEDIUM WRITEUP
Customer Support System 1 - Stored Cross-Site Scripting via Address Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.
CVSS 5.4
CVE-2023-49978 NOMISEC HIGH WRITEUP
Customer Support System v1 - Improper Access Control
Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.
CVSS 8.8
CVE-2023-49539 NOMISEC MEDIUM WRITEUP
Book Store Management System 1.0 - Stored Cross-Site Scripting via Category Parameter
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/category. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the category parameter.
CVSS 6.1
CVE-2023-49980 NOMISEC HIGH WRITEUP
Best Student Result Management System 1.0 - Unauthenticated Directory Listing
A directory listing vulnerability in Best Student Result Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.
CVSS 7.5
CVE-2023-49981 NOMISEC HIGH WRITEUP
School Fees Management System 1.0 - Unauthenticated Directory Listing
A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.
CVSS 7.5
CVE-2023-49982 NOMISEC HIGH WRITEUP
School Fees Management System 1.0 - Incorrect Authorization in User Management Component
Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.
CVSS 8.8
CVE-2023-49983 NOMISEC MEDIUM WRITEUP
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
CVSS 6.8
CVE-2023-49984 NOMISEC MEDIUM WRITEUP
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter in Settings
A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
CVSS 6.1
CVE-2023-49985 NOMISEC MEDIUM WORKING POC
School Fees Management System 1.0 - Stored Cross-Site Scripting via cname Parameter
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cname parameter.
CVSS 6.5
CVE-2023-49986 NOMISEC MEDIUM WRITEUP
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
A cross-site scripting (XSS) vulnerability in the component /admin/parent of School Fees Management System 1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
CVSS 4.7