geraldoalcantara

34 exploits Active since Dec 2023
CVE-2023-49987 NOMISEC MEDIUM WRITEUP
School Fees Management System 1.0 - Stored Cross-Site Scripting via tname Parameter
A cross-site scripting (XSS) vulnerability in the component /management/term of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tname parameter.
CVSS 5.4
CVE-2023-49988 NOMISEC HIGH WRITEUP
Hotel Booking Management v1.0 - SQL Injection via npss Parameter
Hotel Booking Management v1.0 was discovered to contain a SQL injection vulnerability via the npss parameter at rooms.php.
CVSS 7.5
CVE-2023-51281 NOMISEC MEDIUM WRITEUP
Customer Support System 1.0 - Cross-Site Scripting via Firstname Lastname Middlename Contact and Address Parameters
Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to escalate privileges via a crafted script firstname, "lastname", "middlename", "contact" and address parameters.
CVSS 5.4
CVE-2023-49979 NOMISEC HIGH WRITEUP
Customer Support System <v1 - Info Disclosure
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
CVSS 7.5
CVE-2023-49540 NOMISEC MEDIUM WRITEUP
Book Store Management System v1.0 - Cross-Site Scripting via History Parameter
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/history. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the history parameter.
CVSS 6.1
CVE-2023-49543 NOMISEC CRITICAL WRITEUP
Book Store Management System v1 - Unauthenticated Improper Access Control
Incorrect access control in Book Store Management System v1 allows attackers to access unauthorized pages and execute administrative functions without authenticating.
CVSS 9.8
CVE-2023-49544 NOMISEC MEDIUM WRITEUP
Customer Support System v1 - Local File Inclusion via Page Parameter
A local file inclusion (LFI) in Customer Support System v1 allows attackers to include internal PHP files and gain unauthorized acces via manipulation of the page= parameter at /customer_support/index.php.
CVSS 4.9
CVE-2023-49545 NOMISEC HIGH WRITEUP
Customer Support System v1 - Unauthenticated Directory Listing
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
CVSS 7.5
CVE-2023-49546 NOMISEC HIGH WORKING POC
Customer Support System v1 - SQL Injection via Email Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
CVSS 8.8