Nomisec Exploits

22,778 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-49984 NOMISEC MEDIUM
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter in Settings
A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
by geraldoalcantara
CVSS 6.1
CVE-2023-49983 NOMISEC MEDIUM
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
by geraldoalcantara
CVSS 6.8
CVE-2023-49981 NOMISEC HIGH
School Fees Management System 1.0 - Unauthenticated Directory Listing
A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.
by geraldoalcantara
CVSS 7.5
CVE-2023-49973 NOMISEC MEDIUM
Customer Support System v1 - Cross-Site Scripting via Email Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list.
by geraldoalcantara
CVSS 6.1
CVE-2023-49971 NOMISEC MEDIUM
Customer Support System 1 - Stored Cross-Site Scripting via Firstname Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list.
by geraldoalcantara
CVSS 6.1
CVE-2023-49970 NOMISEC CRITICAL
Customer Support System v1 - SQL Injection via Subject Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.
by geraldoalcantara
CVSS 9.8
CVE-2023-49969 NOMISEC MEDIUM
Customer Support System v1 - SQL Injection via id Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.
by geraldoalcantara
CVSS 4.3
CVE-2023-49968 NOMISEC HIGH
Customer Support System v1 - SQL Injection via id Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.
by geraldoalcantara
CVSS 7.3
CVE-2023-49548 NOMISEC HIGH
Customer Support System v1 - SQL Injection via lastname Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.
by geraldoalcantara
CVSS 8.8
CVE-2023-49546 NOMISEC HIGH
Customer Support System v1 - SQL Injection via Email Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
by geraldoalcantara
CVSS 8.8
CVE-2023-49540 NOMISEC MEDIUM
Book Store Management System v1.0 - Cross-Site Scripting via History Parameter
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/history. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the history parameter.
by geraldoalcantara
CVSS 6.1
CVE-2023-49539 NOMISEC MEDIUM
Book Store Management System 1.0 - Stored Cross-Site Scripting via Category Parameter
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/category. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the category parameter.
by geraldoalcantara
CVSS 6.1
CVE-2023-27163 NOMISEC MEDIUM
request-baskets < 1.2.1 - Server-Side Request Forgery via /api/baskets/{name} Endpoint
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
by KharimMchatta
1 stars
CVSS 6.5
CVE-2023-47119 NOMISEC MEDIUM
Discourse < 3.1.3 and < 3.2.0.beta3 - HTML Injection via Onebox Engine
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
by Cristiano100
CVSS 5.3
CVE-2023-49987 NOMISEC MEDIUM
School Fees Management System 1.0 - Stored Cross-Site Scripting via tname Parameter
A cross-site scripting (XSS) vulnerability in the component /management/term of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tname parameter.
by geraldoalcantara
CVSS 5.4
CVE-2023-49986 NOMISEC MEDIUM
School Fees Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
A cross-site scripting (XSS) vulnerability in the component /admin/parent of School Fees Management System 1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
by geraldoalcantara
CVSS 4.7
CVE-2023-49982 NOMISEC HIGH
School Fees Management System 1.0 - Incorrect Authorization in User Management Component
Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.
by geraldoalcantara
CVSS 8.8
CVE-2023-49979 NOMISEC HIGH
Customer Support System <v1 - Info Disclosure
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
by geraldoalcantara
CVSS 7.5
CVE-2023-49978 NOMISEC HIGH
Customer Support System v1 - Improper Access Control
Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.
by geraldoalcantara
CVSS 8.8
CVE-2023-49977 NOMISEC MEDIUM
Customer Support System 1 - Stored Cross-Site Scripting via Address Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.
by geraldoalcantara
CVSS 5.4
CVE-2023-49974 NOMISEC MEDIUM
Customer Support System 1 - Stored Cross-Site Scripting via Contact Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.
by geraldoalcantara
CVSS 6.1
CVE-2023-49976 NOMISEC MEDIUM
Customer Support System 1 - Stored Cross-Site Scripting via New Ticket Subject Parameter
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.
by geraldoalcantara
CVSS 5.4
CVE-2023-49547 NOMISEC CRITICAL
Customer Support System v1 - SQL Injection via Username Parameter
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.
by geraldoalcantara
CVSS 9.8
CVE-2023-49545 NOMISEC HIGH
Customer Support System v1 - Unauthenticated Directory Listing
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
by geraldoalcantara
CVSS 7.5
CVE-2023-49543 NOMISEC CRITICAL
Book Store Management System v1 - Unauthenticated Improper Access Control
Incorrect access control in Book Store Management System v1 allows attackers to access unauthorized pages and execute administrative functions without authenticating.
by geraldoalcantara
CVSS 9.8