CVE-2020-25761 – Visitor Management System In PHP 1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-25761
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc. Projectworlds Visitor Management System en PHP versión 1.0, permite un ataque de tipo XSS. El archivo myform.php no lleva a cabo una comprobación de entrada en los parámetros request. • http://packetstormsecurity.com/files/159263/Visitor-Management-System-In-PHP-1.0-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2020/Sep/45 https://packetstormsecurity.com/files/author/15149 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-25760 – Visitor Management System In PHP 1.0 SQL Injection
https://notcve.org/view.php?id=CVE-2020-25760
Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database. Projectworlds Visitor Management System en PHP versión 1.0, permite una inyección SQL. El archivo front.php no lleva a cabo una comprobación de entrada en el parámetro "rid". • http://packetstormsecurity.com/files/159262/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html http://packetstormsecurity.com/files/159637/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html http://seclists.org/fulldisclosure/2020/Sep/43 https://packetstormsecurity.com/files/author/15149 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-23833
https://notcve.org/view.php?id=CVE-2020-23833
Projectworlds House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability, allowing remote attackers to execute arbitrary code on the hosting webserver via a malicious index.php POST request. Projectworlds House Rental versión v1.0, sufre una vulnerabilidad de inyección SQL no autenticada, permitiendo a atacantes remotos ejecutar código arbitrario en el servidor web de alojamiento por medio de una petición POST de un archivo index.php malicioso • https://packetstormsecurity.com/files/158811/House-Rental-1.0-SQL-Injection.html https://projectworlds.in https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-24199
https://notcve.org/view.php?id=CVE-2020-24199
Arbitrary File Upload in the Vehicle Image Upload component in Project Worlds Car Rental Management System v1.0 allows attackers to conduct remote code execution. Una Carga de Archivos Arbitraria en el componente Vehicle Image Upload en Project Worlds Car Rental Management System versión v1.0, permite a atacantes conducir una ejecución de código remota. • https://github.com/hyd3sec/CarRentalManagement-Unauth-RCE-WebApp https://github.com/hyd3sec/CarRentalManagement-Unauth-RCE-WebApp/blob/master/CarRental-Unauth-RCE.py https://projectworlds.in/free-projects/php-projects/car-rental-project-in-php-and-mysql • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-24203
https://notcve.org/view.php?id=CVE-2020-24203
Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution. Permisos de Archivos No Seguros y una Carga de Archivos Arbitraria en la función upload pic en el archivo updatesubcategory.php en Projects World Travel Management System versión v1.0, permite a atacantes remotos no autenticados conseguir una ejecución de código remota • https://github.com/hyd3sec/TravelManagementSystemRCE https://projectworlds.in/free-projects/php-projects/travel-management-system-project-in-php-mysql • CWE-425: Direct Request ('Forced Browsing') CWE-434: Unrestricted Upload of File with Dangerous Type •