Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-43013: Asset Management System v1.0 - Unauthenticated SQL Injection (SQLi) | Advisories | Fluid Attacks

Asset Management System v1.0 is vulnerable to an unauthenticated SQL Injection vulnerability on the 'email' parameter of index.php page, allowing an external attacker to dump all the contents of the database contents and bypass the login control.

CVE
Open in Source
#sql#vulnerability#php#auth
CVE-2023-5185: Gym Management System Project v1.0 - Insecure File Upload | Advisories | Fluid Attacks

Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.

CVE-2023-5004: Hospital-management-system-in-php 378c157 - Blind SQL Injection | Advisories | Fluid Attacks

Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.

CVE-2023-43226: GitHub - zzq66/cve: poc

An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVE-2023-30415: Getting my first CVE

Sourcecodester Packers and Movers Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /inquiries/view_inquiry.php.

GHSA-pq98-6hf6-3rj3: Economizzer remote code execution vulnerability

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.

CVE-2023-44276: Advisory X41-2023-001: Two Vulnerabilities in OPNsense

OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.

CVE-2023-5230: wishlist.php in tm-woocommerce-compare-wishlist/tags/1.1.7/includes/wishlist – WordPress Plugin Repository

The TM WooCommerce Compare & Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'tm_woo_wishlist_table' shortcode in versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-38877: GitHub - gugoan/economizzer: Open Source Personal Finance Manager

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.