Monthly Archive: May 2022

elitecms v1.01 is vulnerable to Delete any file via /admin/delete_image.php?file=. Date published : 2022-05-31 https://github.com/k0xx11/bug_report/blob/main/elitecms-1.01/delet-file-1.md

Badminton Center Management System V1.0 is vulnerable to SQL Injection via parameter ‘id’ in /bcms/admin/court_rentals/update_status.php. Date published : 2022-05-31 http://badminton.com https://github.com/yasinyildiz26/Badminton-Center-Management-System

Ecommerce-project-with-php-and-mysqli-Fruits-Bazar- 1.0 is vulnerable to Cross Site Scripting (XSS) in adminadd_cata.php via the ctg_name parameters. Date published : 2022-05-31 https://github.com/APTX-4879/CVE https://github.com/APTX-4879/CVE/blob/main/CVE-2022-30482.pdf

Food-order-and-table-reservation-system- 1.0 is vulnerable to SQL Injection in categorywise-menu.php via the catid parameters. Date published : 2022-05-31 https://github.com/APTX-4879/CVE https://github.com/APTX-4879/CVE/blob/main/CVE-2022-30481.pdf

Ecommerce-project-with-php-and-mysqli-Fruits-Bazar 1.0 is vulnerable to SQL Injection in search_product.php via the keyword parameters. Date published : 2022-05-31 https://github.com/APTX-4879/CVE https://github.com/APTX-4879/CVE/blob/main/CVE-2022-30478.pdf

OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json. Date published : 2022-05-31 https://gitee.com/oufu/ofcms/issues/I53COA

A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request. Date published : 2022-05-31 https://github.com/jflyfox/jfinal_cms/issues/34

An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. Date published : 2022-05-31 https://gist.github.com/aaaahuia/f708c6c8a320e0f3afbb9247903c4670

An arbitrary file upload vulnerability in the Add File function of TPCMS v3.2 allows attackers to execute arbitrary code via a crafted PHP file. Date published : 2022-05-31 https://gitee.com/happy_source/tpcms https://gitee.com/happy_source/tpcms/issues/I533KY

resi-calltrace in RESI Gemini-Net 4.2 is affected by Multiple XSS issues. Unauthenticated remote attackers can inject arbitrary web script or HTML into an HTTP GET parameter that reflects user input without sanitization. This exists...

Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine. Date published : 2022-05-31 https://search.abb.com/library/Download.aspx?DocumentID=2%20CMT%200%200%206%200%208%206&LanguageCode=en&DocumentPartId=&Action=Launch

XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior...

SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random...

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long...