CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-46005
https://notcve.org/view.php?id=CVE-2021-46005
Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter. Sourcecodester Car Rental Management System versión 1.0, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) por medio del parámetro vehicalorcview • https://github.com/nawed20002/CVE-2021-46005 https://www.exploit-db.com/exploits/49546 https://www.sourcecodester.com/cc/14145/online-car-rental-system-using-phpmysql.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24519 – Vik Rent Car < 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24519
The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue El plugin de WordPress VikRentCar Car Rental Management System versiones anteriores a 1.1.10, no sanea el campo "Text Next to Icon" cuando se añade o edita una Característica, permitiendo a usuarios con privilegios elevados, como los administradores, usar una carga útil de tipo XSS en él, conllevando a un problema de tipo Cross-Site Scripting Almacenado y autenticado. The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue. • https://wpscan.com/vulnerability/368828f9-fdd1-4a82-8658-20e0f4c4da0c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-29227
https://notcve.org/view.php?id=CVE-2020-29227
An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, to cause local file inclusion resulting in code execution. Se detectó un problema en Car Rental Management System versión 1.0. Un usuario no autenticado puede llevar a cabo un ataque de inclusión de archivos contra el archivo /index.php con un nombre de archivo parcial en el parámetro "page", para causar una inclusión de archivo local resultando en una ejecución de código. • https://loopspell.medium.com/cve-2020-29227-unauthenticated-local-file-inclusion-7d3bd2c5c6a5 https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html •
CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 1CVE-2020-29287
https://notcve.org/view.php?id=CVE-2020-29287
An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view_car.php or the car_id parameter in booking.php. Se detectó una vulnerabilidad de inyección SQL en Car Rental Management System versión v1.0, que se puede explotar por medio del parámetro id en el archivo view_car.php o el parámetro car_id en el archivo booking.php • https://github.com/BigTiger2020/Car-Rental-Management-System/blob/main/README.md https://www.exploit-db.com/exploits/49056 https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 1CVE-2020-27956
https://notcve.org/view.php?id=CVE-2020-27956
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root). Una subida arbitraria de archivos en el componente Upload Image en SourceCodester Car Rental Management System versión 1.0 permite al usuario llevar a cabo la ejecución remota del código a través de admin/index.php?page=manage_car porque los archivos .php pueden ser subidos a admin/assets/uploads/ (bajo la raíz de la web) • https://www.exploit-db.com/exploits/48931 https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html • CWE-434: Unrestricted Upload of File with Dangerous Type •