CVE-2023-3007 – ningzichun Student Management System Password Reset resetPassword.php password recovery
https://notcve.org/view.php?id=CVE-2023-3007
A vulnerability was found in ningzichun Student Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file resetPassword.php of the component Password Reset Handler. The manipulation of the argument sid leads to weak password recovery. The attack may be launched remotely. • https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/password_reset.md https://vuldb.com/?ctiid.230354 https://vuldb.com/?id.230354 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVE-2021-33371
https://notcve.org/view.php?id=CVE-2021-33371
A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en el archivo /nav_bar_action.php de Student Management System versión v1.0, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el cuadro de chat • https://www.exploit-db.com/exploits/49865 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-23935 – Student Management System 1.0 - SQLi Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-23935
Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)". Kabir Alhasan Student Management System versión 1.0, es vulnerable a una Omisión de Autenticación por medio de "Username: admin'# && Password: (Write Something)" Kabir Alhasan Student Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass. • https://www.exploit-db.com/exploits/50579 http://packetstormsecurity.com/files/165215/Kabir-Alhasan-Student-Management-System-1.0-SQL-Injection.html https://github.com/enesozeser/Vulnerabilities/blob/master/CVE-2020-23935 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •