Monthly Archive: December 2020

Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a...

The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow...

An SQL injection vulnerability was discovered in Gym Management System In manage_user.php file, GET parameter ‘id’ is vulnerable. Date published : 2020-12-02 https://github.com/BigTiger2020/Gym-Management-System/blob/main/README.md https://www.exploit-db.com/exploits/48936

An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view_car.php or the car_id parameter in booking.php. Date published : 2020-12-02 https://github.com/BigTiger2020/Car-Rental-Management-System/blob/main/README.md https://www.exploit-db.com/exploits/49056

SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php. Date published : 2020-12-02 https://github.com/BigTiger2020/Point-of-Sales/blob/main/README.md Online Doctor Appointment Booking System PHP and...

The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request...

An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. Date published : 2020-12-02 https://github.com/BigTiger2020/Online-Doctor-Appointment-Booking-System-PHP/blob/main/README.md Online Doctor Appointment Booking System PHP and Mysql

SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication. Date published : 2020-12-02 https://github.com/BigTiger2020/BloodX-CMS/blob/main/README.md https://github.com/diveshlunker/BloodX

The Victor CMS v1.0 application is vulnerable to SQL injection via the ‘search’ parameter on the search.php page. Date published : 2020-12-02 https://github.com/BigTiger2020/Victor-CMS-/blob/main/README.md https://github.com/VictorAlagwu/CMSsite/issues/13

PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution. Date published : 2020-12-02 http://www.74cms.com/news/show-2497.html https://github.com/BigTiger2020/74CMS/blob/main/README.md

Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the...

Online Birth Certificate System Project V 1.0 is affected by cross-site scripting (XSS). This vulnerability can result in an attacker injecting the XSS payload in the User Registration section. When an admin visits the...

Prototype pollution vulnerability in ‘set-in’ versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-02 https://github.com/ahdinosaur/set-in/commit/e431effa00195a6f06b111e09733cd1445a91a88 https://www.whitesourcesoftware.com/vulnerability-database

Prototype pollution vulnerability in ‘keyget’ versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-02 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28272 https://github.com/rumkin/keyget/commit/17d15b6c75036eb429075a8cfeccfc18094dd2e2