CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52155
https://notcve.org/view.php?id=CVE-2023-52155
21 Feb 2024 — A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint. Una vulnerabilidad de inyección SQL en /admin/sauvegarde/run.php en PMB 7.4.7 y anteriores permite a atacantes remotos autenticados ejecutar comandos SQL de su elección a través de la variable sauvegardes a través del endpoint /admin/sauvegarde/run.php. • https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46474
https://notcve.org/view.php?id=CVE-2023-46474
11 Jan 2024 — File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file. Vulnerabilidad de carga de archivos PMB v.7.4.8 permite a un atacante remoto ejecutar código arbitrario y escalar privilegios a través de un archivo PHP manipulado subido al archivo start_import.php. • https://github.com/Xn2/CVE-2023-46474 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24733
https://notcve.org/view.php?id=CVE-2023-24733
06 Mar 2023 — PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php. • https://github.com/AetherBlack/CVE/tree/main/PMB • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24734
https://notcve.org/view.php?id=CVE-2023-24734
06 Mar 2023 — An arbitrary file upload vulnerability in the camera_upload.php component of PMB v7.4.6 allows attackers to execute arbitrary code via a crafted image file. • https://github.com/AetherBlack/CVE/tree/main/PMB • CWE-416: Use After Free •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24735
https://notcve.org/view.php?id=CVE-2023-24735
06 Mar 2023 — PMB v7.4.6 was discovered to contain an open redirect vulnerability via the component /opac_css/pmb.php. This vulnerability allows attackers to redirect victim users to an external domain via a crafted URL. • https://github.com/AetherBlack/CVE/tree/main/PMB • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24736
https://notcve.org/view.php?id=CVE-2023-24736
06 Mar 2023 — PMB v7.4.6 was discovered to contain a remote code execution (RCE) vulnerability via the component /sauvegarde/restaure_act.php. • https://github.com/AetherBlack/CVE/tree/main/PMB •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24737
https://notcve.org/view.php?id=CVE-2023-24737
06 Mar 2023 — PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php. • https://github.com/AetherBlack/CVE/tree/main/PMB • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34328
https://notcve.org/view.php?id=CVE-2022-34328
22 Jun 2022 — PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php. PMB versión 7.3.10 permite un ataque de tipo XSS reflejado por medio del parámetro id en una petición lvl=author_see al archivo index.php • https://github.com/jenaye/PMB • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •