leekenghwa

8 exploits Active since Apr 2023
CVE-2023-34830 NOMISEC MEDIUM WRITEUP
i-doit < 24 - Reflected Cross-Site Scripting via Login Page Timeout Parameter
i-doit Open v24 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the timeout parameter on the login page.
3 stars
CVSS 5.4
CVE-2023-37756 NOMISEC CRITICAL WRITEUP
i-doit < 25 - Weak Password Requirements for Administrator Accounts
I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation. Attackers are able to easily guess users' passwords via a bruteforce attack.
1 stars
CVSS 9.8
CVE-2023-33817 NOMISEC HIGH WRITEUP
HotelDruid 3.0.5 - SQL Injection
hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.
1 stars
CVSS 8.8
CVE-2023-46003 NOMISEC MEDIUM WRITEUP
i-doit < 25 - Stored Cross-Site Scripting via index.php
I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) via index.php.
CVSS 5.4
CVE-2023-37739 NOMISEC MEDIUM WRITEUP
i-doit < 25 - Path Traversal
i-doit Pro v25 and below was discovered to be vulnerable to path traversal.
CVSS 6.5
CVE-2023-37755 NOMISEC CRITICAL WRITEUP
i-doit < 25 - Use of Hard-coded Credentials
i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name. Unauthenticated attackers can exploit this vulnerability to obtain Administrator privileges, resulting in them being able to perform arbitrary system operations or cause a Denial of Service (DoS).
CVSS 9.8
CVE-2023-34537 NOMISEC MEDIUM WRITEUP
HotelDruid 3.0.5 - Reflected Cross-Site Scripting
A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.
CVSS 5.4
CVE-2023-26852 NOMISEC HIGH WRITEUP
Textpattern < 4.8.8 - Arbitrary File Upload via Upload Plugin
An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.
CVSS 7.2