CVSS: 7.8EPSS: 20%CPEs: 1EXPL: 1CVE-2023-36284
https://notcve.org/view.php?id=CVE-2023-36284
23 Jun 2023 — An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. • https://flashy-lemonade-192.notion.site/Time-Based-SQL-injection-in-QloApps-1-6-0-0-be3ed1bdaf784a77b45dc6898a2de17e?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 16%CPEs: 1EXPL: 1CVE-2023-36289
https://notcve.org/view.php?id=CVE-2023-36289
23 Jun 2023 — An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-POST-Request-via-email_create-and-back-parameter-in-QloApps-1-6-0-e05548203d744daf9047d82fc94b19b7?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 14%CPEs: 1EXPL: 1CVE-2023-36287
https://notcve.org/view.php?id=CVE-2023-36287
23 Jun 2023 — An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-via-controller-parameter-in-QloApps-1-6-0-97e409ce164f40d195b625b9bf719900?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2925 – Webkul krayin crm Edit Person Page 2 cross site scripting
https://notcve.org/view.php?id=CVE-2023-2925
27 May 2023 — A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://drive.google.com/file/d/1t7JwP0Qyo6ye-2dt6XhA1ENHDwsnYjD3/view?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 73%CPEs: 1EXPL: 3CVE-2023-30256 – Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-30256
11 May 2023 — Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file. Webkul Qloapps version 1.5.2 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/172542 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41924
https://notcve.org/view.php?id=CVE-2021-41924
21 Jun 2022 — Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS). Webkul krayin crm versiones anteriores a 1.2.2, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) • https://github.com/krayin/laravel-crm/pull/195/commits/882dc2e7e7e9149b96cf1ccacf34900960b92fb7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16403
https://notcve.org/view.php?id=CVE-2019-16403
18 Sep 2019 — In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. En Webkul Bagisto en versiones anteriores a la 0.1.5, las funcionalidades para que los clientes cambien sus propios valores (como dirección, revisión, pedidos, etc.) también pueden ser manipuladas por otros clientes. • https://github.com/bagisto/bagisto/issues/749 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14933
https://notcve.org/view.php?id=CVE-2019-14933
11 Aug 2019 — Bagisto 0.1.5 allows CSRF under /admin URIs. Bagisto versión 0.1.5, permite un ataque de tipo CSRF bajo URIs /admin. • https://forums.bagisto.com/category/1/announcements • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 4CVE-2010-1659 – Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-1659
30 Apr 2010 — Directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. Una vulnerabilidad de salto de directorio en el componente para Joomla! Ultimate Portfolio (com_ultimateportfolio) v1.0 permite a atacantes remotos leer ficheros arbitrarios a través de un .. • https://www.exploit-db.com/exploits/12426 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •