l8BL

3 exploits Active since Aug 2024
CVE-2024-47066 NOMISEC CRITICAL WORKING POC
Lobe Chat <1.19.13 - SSRF
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.
3 stars
CVSS 9.0
CVE-2024-7856 NOMISEC HIGH WORKING POC
Sonaar Mp3 Audio Player For Music, Ra... - Missing Authorization
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.
1 stars
CVSS 8.1
CVE-2025-44998 NOMISEC MEDIUM WRITEUP
Prasathmani Tiny File Manager - XSS
A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter.
CVSS 6.1