» 2022 » 1월

CVE-2021-40907

Posted on 2022년 1월 25일2022년 1월 25일 by admin

CVE-2021-40907

SQL injection vulnerability in Sourcecodester Storage Unit Rental Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /storage/classes/Login.php.

Source: CVE-2021-40907

CVE-2021-40908

Posted on 2022년 1월 25일2022년 1월 25일 by admin

CVE-2021-40908

SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.

Source: CVE-2021-40908

CVE-2022-22296

Posted on 2022년 1월 24일2022년 1월 25일 by admin

CVE-2022-22296

Sourcecodester Hospital’s Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.

Source: CVE-2022-22296

CVE-2021-44981

Posted on 2022년 1월 24일2022년 1월 25일 by admin

CVE-2021-44981

In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(”); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(”); function, which allows for privilege escalation by means of RCE.

Source: CVE-2021-44981

CVE-2022-0269

Posted on 2022년 1월 24일2022년 1월 24일 by admin

CVE-2022-0269

Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.

Source: CVE-2022-0269

CVE-2021-25045

Posted on 2022년 1월 24일2022년 1월 24일 by admin

CVE-2021-25045

The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue

Source: CVE-2021-25045

CVE-2021-25035

Posted on 2022년 1월 24일2022년 1월 24일 by admin

CVE-2021-25035

The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Source: CVE-2021-25035

CVE-2021-24985

Posted on 2022년 1월 24일2022년 1월 24일 by admin

CVE-2021-24985

The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Source: CVE-2021-24985

CVE-2021-24976

Posted on 2022년 1월 24일2022년 1월 24일 by admin

CVE-2021-24976

The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting

Source: CVE-2021-24976

CVE-2021-25031

Posted on 2022년 1월 24일2022년 1월 24일 by admin

CVE-2021-25031

The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Source: CVE-2021-25031