CVE-2020-29205
https://notcve.org/view.php?id=CVE-2020-29205
XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field Una vulnerabilidad de tipo cross-site scripting XSS en el formulario de registro en Project Worlds Online Examination System versión 1.0, permite a un atacante remoto inyectar código arbitrario por medio del campo field • https://github.com/projectworldsofficial/online-examination-systen-in-php https://nikhilkumar01.medium.com/cve-2020-29205-a7ab5cbcd156 https://www.exploit-db.com/exploits/48969 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-24203
https://notcve.org/view.php?id=CVE-2020-24203
Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution. Permisos de Archivos No Seguros y una Carga de Archivos Arbitraria en la función upload pic en el archivo updatesubcategory.php en Projects World Travel Management System versión v1.0, permite a atacantes remotos no autenticados conseguir una ejecución de código remota • https://github.com/hyd3sec/TravelManagementSystemRCE https://projectworlds.in/free-projects/php-projects/travel-management-system-project-in-php-mysql • CWE-425: Direct Request ('Forced Browsing') CWE-434: Unrestricted Upload of File with Dangerous Type •