Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-5185: Gym Management System Project v1.0 - Insecure File Upload | Advisories | Fluid Attacks

Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.

CVE
Open in Source
#vulnerability#php#rce#auth
CVE-2023-5004: Hospital-management-system-in-php 378c157 - Blind SQL Injection | Advisories | Fluid Attacks

Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.

CVE-2023-43226: GitHub - zzq66/cve: poc

An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVE-2023-30415: Getting my first CVE

Sourcecodester Packers and Movers Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /inquiries/view_inquiry.php.

GHSA-pq98-6hf6-3rj3: Economizzer remote code execution vulnerability

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.

CVE-2023-44276: Advisory X41-2023-001: Two Vulnerabilities in OPNsense

OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.

CVE-2023-5230: wishlist.php in tm-woocommerce-compare-wishlist/tags/1.1.7/includes/wishlist – WordPress Plugin Repository

The TM WooCommerce Compare & Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'tm_woo_wishlist_table' shortcode in versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-38877: GitHub - gugoan/economizzer: Open Source Personal Finance Manager

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.

CVE-2023-38874: GitHub - gugoan/economizzer: Open Source Personal Finance Manager

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.

CVE-2023-41447: CVE-2023-41447

Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the subcmd parameter in the index.php component.