In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve remote code execution via a crafted .cgi file by chaining those functionalities in the file manager.
174516108c4d106859887c676523c5bd94d8fe133ba6657e421890c8d9f7ef89
Webmin version 1.984 authenticated remote code execution exploit.
7286890f523f72cddacdb1075dae1a9d259f00e38f0108409ebfb8be0654690a
RiteCMS versions 3.1.0 and below suffer from an arbitrary file overwrite vulnerability.
e9fa75c629af64ae183c5725e751e06ae70b1b99a2ae57f02be8cb0d8c246b33
RiteCMS versions 3.1.0 and below suffer from an arbitrary file deletion vulnerability.
1df19daa585e534af2fdd30939aae2a3e509e07d0fc2be95e5611c25f6237ab1
RiteCMS versions 3.1.0 and below suffer from multiple methodologies that allow for a shell upload.
69e05c5f55d9345dbff8780f4b23ea8c5642b129f90af8f048103ac9bb8962b5
XOS Shop version 1.0.9 suffers from an authenticated arbitrary file deletion vulnerability.
6f8b017fcb905dadb6bf19edef6c377d8386f4f1960c35cbb20f753ea24da872
CSZ CMS version 1.2.9 suffers from an arbitrary file deletion vulnerability.
8df23b57005e825721dd10ab97928c0cfd872018d576cb42f57f009138e7dd93
News Portal Project version 3.1 suffers from multiple remote time-based SQL injection vulnerabilities.
3f56ebd1b9bbf5e77165fd6880d47dc10e5c4c00a42cb8ff45cb77a53362d347
Proof of concept code for a time-based blind remote SQL injection vulnerability in Online Shopping Portal version 3.1. This is a variant of the original discovery of SQL injection in this version by Umit Yalcin in July of 2020.
767219aec319fdaf3843c6a3cee1e6adffa3ddc30ff33399b70b01cfabe1a3d6
Vehicle Parking Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to gh1mau in July of 2020.
4cd8f0375100e5b08ef632a5d81e17f0c41e7de6fbd847bb2265513d0f7ccc89
Vehicle Parking Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of persistent cross site scripting in this version is attributed to Tushar Vaidya in February of 2021.
9bec80e5c2a5aa1ef11d5bf7ba3fefc9dd167b4102e4b463a46172b3e3c4bd46
PEEL Shopping version 9.3.0 suffers from a remote SQL injection vulnerability.
bb075e29d3bbfafef1042c9720d8285f75488e0c4067d3cf5021548fc4c93b8f
Online Covid Vaccination Scheduler System version 1.0 suffers from a remote shell upload vulnerability.
4b00627f9d97cd1cf78b8ef09aaada4fbe79cad01061c59440da2eadc6def00d
Online Covid Vaccination Scheduler System version 1.0 suffers from a remote time-based blind SQL injection vulnerability.
32a4ebe3a2c4d0408162c566f003abfc0258309dc6f2635c17de7c4a2d850b46
Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
e5bc430fc4ad7d6f227a8c1a5fcd8a552e5a272a0958308866a3041d552b4428
Phone Shop Sales Managements System version 1.0 shell upload exploit. This is a variant of the original discovery made in this version of the software by Richard Jones in April of 2021.
741ee4649f85470c6abf3e9d7ca9af0640a3297efc7e3ba82a49e4ebe98b8837
Proof of concept exploit for a path traversal vulnerability in Pallets Werkzeug version 0.15.4.
4f5c6bd91b62008c37cb7bf8cbae42390e891388493b81718362ca9738d106b3