killmonday/isic.lk-RCE

killmonday/isic.lk-RCE

Releases0

Stars3

isic.lk tour booking website multi vuln (sqli/ file upload / info leak) lead to RCE

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2022-28607 ↗	Dec 1, 2022Thursday, 1 December 2022, 13:15	7.5 HIGH	—
An issue was discovered in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to gain sensitive information via the action parameter to /system/user/modules/mod_users/controller.php.
CVE-2022-30528 ↗	Dec 1, 2022Thursday, 1 December 2022, 13:15	9.8 CRITICAL	—
SQL Injection vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to execute arbitrary commands via the username parameter to /system/user/modules/mod_users/controller.php.
CVE-2022-30529 ↗	Nov 22, 2022Tuesday, 22 November 2022, 01:15	7.2 HIGH	—
File upload vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to upload arbitrary files via /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php.