Nomisec Exploits
22,778 exploits tracked across all sources.
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter in Settings
A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
by geraldoalcantara
CVSS 6.1
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
by geraldoalcantara
CVSS 6.8
School Fees Management System 1.0 - Unauthenticated Directory Listing
A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.
by geraldoalcantara
CVSS 7.5
Customer Support System v1 - Cross-Site Scripting via Email Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list.
by geraldoalcantara
CVSS 6.1
Customer Support System 1 - Stored Cross-Site Scripting via Firstname Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list.
by geraldoalcantara
CVSS 6.1
Customer Support System v1 - SQL Injection via Subject Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.
by geraldoalcantara
CVSS 9.8
Customer Support System v1 - SQL Injection via id Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.
by geraldoalcantara
CVSS 4.3
Customer Support System v1 - SQL Injection via id Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.
by geraldoalcantara
CVSS 7.3
Customer Support System v1 - SQL Injection via lastname Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.
by geraldoalcantara
CVSS 8.8
Customer Support System v1 - SQL Injection via Email Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
by geraldoalcantara
CVSS 8.8
Book Store Management System v1.0 - Cross-Site Scripting via History Parameter
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/history. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the history parameter.
by geraldoalcantara
CVSS 6.1
Book Store Management System 1.0 - Stored Cross-Site Scripting via Category Parameter
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/category. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the category parameter.
by geraldoalcantara
CVSS 6.1
request-baskets < 1.2.1 - Server-Side Request Forgery via /api/baskets/{name} Endpoint
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
by KharimMchatta
Discourse < 3.1.3 and < 3.2.0.beta3 - HTML Injection via Onebox Engine
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
by Cristiano100
CVSS 5.3
School Fees Management System 1.0 - Stored Cross-Site Scripting via tname Parameter
A cross-site scripting (XSS) vulnerability in the component /management/term of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tname parameter.
by geraldoalcantara
CVSS 5.4
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
A cross-site scripting (XSS) vulnerability in the component /admin/parent of School Fees Management System 1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
by geraldoalcantara
CVSS 4.7
School Fees Management System 1.0 - Incorrect Authorization in User Management Component
Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.
by geraldoalcantara
CVSS 8.8
Customer Support System <v1 - Info Disclosure
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
by geraldoalcantara
CVSS 7.5
Customer Support System v1 - Improper Access Control
Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.
by geraldoalcantara
CVSS 8.8
Customer Support System 1 - Stored Cross-Site Scripting via Address Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.
by geraldoalcantara
CVSS 5.4
Customer Support System 1 - Stored Cross-Site Scripting via Contact Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.
by geraldoalcantara
CVSS 6.1
Customer Support System 1 - Stored Cross-Site Scripting via New Ticket Subject Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.
by geraldoalcantara
CVSS 5.4
Customer Support System v1 - SQL Injection via Username Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.
by geraldoalcantara
CVSS 9.8
Customer Support System v1 - Unauthenticated Directory Listing
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
by geraldoalcantara
CVSS 7.5
Book Store Management System v1 - Unauthenticated Improper Access Control
Incorrect access control in Book Store Management System v1 allows attackers to access unauthorized pages and execute administrative functions without authenticating.
by geraldoalcantara
CVSS 9.8
By Source