WarmBrew/web_vul

GitHub

github.com

Releases0

Stars3

Documenting some of my CVE exploits and learning how to be a bug hunter.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-44757 ↗	Nov 18, 2024Monday, 18 November 2024, 17:15	7.5 HIGH	—
An arbitrary file download vulnerability in the component /Basics/DownloadInpFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request.
CVE-2024-44756 ↗	Nov 18, 2024Monday, 18 November 2024, 17:15	9.8 CRITICAL	—
NUS-M9 ERP Management Software v3.0.0 was discovered to contain a SQL injection vulnerability via the usercode parameter at /UserWH/checkLogin.
CVE-2024-44758 ↗	Nov 15, 2024Friday, 15 November 2024, 21:15	9.8 CRITICAL	—
An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files.
CVE-2024-44759 ↗	Nov 15, 2024Friday, 15 November 2024, 20:15	7.5 HIGH	—
An arbitrary file download vulnerability in the component /Doc/DownloadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request.
CVE-2024-44760 ↗	Aug 28, 2024Wednesday, 28 August 2024, 20:15	7.5 HIGH	—
Incorrect access control in the component /servlet/SnoopServlet of Shenzhou News Union Enterprise Management System v5.0 through v18.8 allows attackers to access sensitive information regarding the server.
CVE-2024-44761 ↗	Aug 28, 2024Wednesday, 28 August 2024, 19:15	9.8 CRITICAL	—
An issue in EQ Enterprise Management System before v2.0.0 allows attackers to execute a directory traversal via crafted requests.
CVE-2024-42680 ↗	Aug 15, 2024Thursday, 15 August 2024, 14:15	5.5 MEDIUM	—
An issue in Super easy enterprise management system v.1.0.0 and before allows a local attacker to obtain the server absolute path by entering a single quotation mark.
CVE-2024-42679 ↗	Aug 15, 2024Thursday, 15 August 2024, 14:15	7.8 HIGH	—
SQL Injection vulnerability in Super easy enterprise management system v.1.0.0 and before allows a local attacker to execute arbitrary code via a crafted script to the/ajax/Login.ashx component.
CVE-2024-42678 ↗	Aug 15, 2024Thursday, 15 August 2024, 14:15	6.1 MEDIUM	—
Cross Site Scripting vulnerability in Super easy enterprise management system v.1.0.0 and before allows a local attacker to execute arbitrary code via a crafted script to the /WebSet/DlgGridSet.html component.
CVE-2024-42677 ↗	Aug 15, 2024Thursday, 15 August 2024, 14:15	5.5 MEDIUM	—
An issue in Huizhi enterprise resource management system v.1.0 and before allows a local attacker to obtain sensitive information via the /nssys/common/filehandle. Aspx component
CVE-2024-42676 ↗	Aug 15, 2024Thursday, 15 August 2024, 14:15	8.8 HIGH	—
File Upload vulnerability in Huizhi enterprise resource management system v.1.0 and before allows a remote attacker to execute arbitrary code via the /nssys/common/Upload. Aspx? Action=DNPageAjaxPostBack component
CVE-2024-39178 ↗	Jul 5, 2024Friday, 5 July 2024, 17:15	5.4 MEDIUM	—
MyPower vc8100 V100R001C00B030 was discovered to contain an arbitrary file read vulnerability via the component /tcpdump/tcpdump.php?menu_uuid.
CVE-2024-30802 ↗	May 14, 2024Tuesday, 14 May 2024, 15:23	9.8 CRITICAL	—
An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component.
CVE-2024-30801 ↗	May 14, 2024Tuesday, 14 May 2024, 15:23	5.5 MEDIUM	—
SQL Injection vulnerability in Cloud based customer service management platform v.1.0.0 allows a local attacker to execute arbitrary code via a crafted payload to Login.asp component.
CVE-2024-22547 ↗	Feb 22, 2024Thursday, 22 February 2024, 19:15	4.7 MEDIUM	—
WayOS IBR-7150 <17.06.23 is vulnerable to Cross Site Scripting (XSS).