sahiloj

18 exploits Active since May 2023
CVE-2023-34839 NOMISEC MEDIUM WRITEUP
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via New User Creation
A Cross Site Request Forgery (CSRF) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via a Custom CSRF exploit to create new user function in the application.
5 stars
CVSS 6.8
CVE-2023-31703 NOMISEC CRITICAL WRITEUP
Microworld Technologies eScan <14.0.1400.2281 - XSS
Cross Site Scripting (XSS) in the edit user form in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the from parameter.
3 stars
CVSS 9.0
CVE-2023-37599 NOMISEC HIGH WRITEUP
Issabel PBX 4.0.0-6 - Sensitive Information Exposure via Modules Directory
An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
2 stars
CVSS 7.5
CVE-2023-31702 NOMISEC HIGH WRITEUP
MicroWorld eScan Management Console <14.0.1400.2281 - SQL Injection
SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.
2 stars
CVSS 7.2
CVE-2025-5352 NOMISEC CRITICAL WRITEUP
lunary < 1.9.25 - Stored Cross-Site Scripting via NEXT_PUBLIC_CUSTOM_SCRIPT Environment Variable
A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.
1 stars
CVSS 9.6
CVE-2023-37190 NOMISEC MEDIUM WRITEUP
Issabel PBX 4.0.0-6 - Stored Cross-Site Scripting via Virtual Fax Name and Caller ID Name Parameters
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters under the New Virtual Fax feature.
1 stars
CVSS 4.8
CVE-2023-37189 NOMISEC MEDIUM WRITEUP
Issabel PBX 4 - Stored Cross-Site Scripting via Billing Rates Name or Prefix Fields
A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module.
1 stars
CVSS 4.8
CVE-2023-37191 NOMISEC MEDIUM WRITEUP
Issabel PBX 4.0.0-6 - Stored Cross-Site Scripting via Group and Description Parameters
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Group and Description parameters.
1 stars
CVSS 4.8
CVE-2023-37596 NOMISEC HIGH WRITEUP
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via Delete User Function
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via a crafted script to the deleteuser function.
1 stars
CVSS 8.1
CVE-2023-37597 NOMISEC HIGH WRITEUP
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via User Grouplist Deletion
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete user grouplist function.
1 stars
CVSS 8.1
CVE-2023-37598 NOMISEC MEDIUM WRITEUP
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via Delete Virtual Fax Function
A Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete new virtual fax function.
1 stars
CVSS 4.5
CVE-2023-33732 NOMISEC MEDIUM WRITEUP
Microworld Technologies eScan mgmt console 14.0.1400.2281 - XSS
Cross Site Scripting (XSS) in the New Policy form in Microworld Technologies eScan management console 14.0.1400.2281 allows a remote attacker to inject arbitrary code via the vulnerable parameters type, txtPolicyType, and Deletefileval.
1 stars
CVSS 6.1
CVE-2023-33730 NOMISEC CRITICAL WRITEUP
eScan Management Console 14.0.1400.2281 - Cleartext Transmission of Sensitive Information via GetUserCurrentPwd Function
Privilege Escalation in the "GetUserCurrentPwd" function in Microworld Technologies eScan Management Console 14.0.1400.2281 allows any remote attacker to retrieve password of any admin or normal user in plain text format.
1 stars
CVSS 9.8
CVE-2023-34836 NOMISEC MEDIUM WRITEUP
eScan Management Console 14.0.1400.2281 - Cross-Site Scripting via Dtltyp and ListName Parameters
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Dtltyp and ListName parameters.
1 stars
CVSS 5.4
CVE-2023-34837 NOMISEC MEDIUM WRITEUP
eScan Management Console 14.0.1400.2281 - Cross-Site Scripting via GrpPath Parameter
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a vulnerable parameter GrpPath.
1 stars
CVSS 5.4
CVE-2023-34838 NOMISEC MEDIUM WRITEUP
eScan Management Console 14.0.1400.2281 - Stored Cross-Site Scripting via Description Parameter
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Description parameter.
1 stars
CVSS 5.4
CVE-2023-33731 NOMISEC MEDIUM WRITEUP
Microworld Technologies eScan <14.0.1400.2281 - XSS
Reflected Cross Site Scripting (XSS) in the view dashboard detail feature in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the URL directly.
1 stars
CVSS 6.1
CVE-2023-34835 NOMISEC MEDIUM WRITEUP
eScan Management Console 14.0.1400.2281 - Cross-Site Scripting via delete_file Parameter
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable delete_file parameter.
1 stars
CVSS 5.4