reewardius

4 exploits Active since Jul 2022
CVE-2025-67888 GITHUB WORKING POC
Control Web Panel /admin/index.php Unauthenticated RCE
Control Web Panel (CWP) versions <= 0.9.8.1208 are vulnerable to unauthenticated OS command injection. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of the root user on the web server. Successful exploitation usually requires "Softaculous" and/or "SitePad" to be installed through the Scripts Manager.
CVE-2022-31889 NOMISEC MEDIUM WORKING POC
Enhancesoft Audit Log < 2022-04-21 - XSS
Cross Site Scripting (XSS) vulnerability in audit/templates/auditlogs.tmpl.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae.
CVSS 6.1
CVE-2022-31890 NOMISEC CRITICAL WORKING POC
Enhancesoft Audit Log < 2022-04-21 - SQL Injection
SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function.
CVSS 9.8
CVE-2022-32074 NOMISEC MEDIUM SUSPICIOUS
Osticket < 2022-05-19 - XSS
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
CVSS 5.4