Vulnerabilities

A vulnerability was found in MD-MAFUJUL-HASAN Online-Payroll-Management-System up to 20230911. It has been rated as critical. This issue affects some unknown processing of the file /branch_viewmore.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-272447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tianchoy Blog up to 1.8.8. It has been classified as critical. This affects an unknown part of the file /so.php. The manipulation of the argument search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272445 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in MD-MAFUJUL-HASAN Online-Payroll-Management-System up to 20230911. It has been declared as critical. This vulnerability affects unknown code of the file /designation_viewmore.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. VDB-272446 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users.<br /> <br /> <br /> While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token.<br /> <br /> Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS<br /> <br /> This was the original found by researcher Zakaria Agharghar.<br /> <br /> <br /> <br /> <br /> 2. Later, on October 20, 2025, another researcher (Chris O’Neill) found additional affected DWR Endpoints that are vulnerable to Information Disclosure, namely and in addition to the original found of "UserSessionAjax.getSessionList.dwr - Session ID exposure":<br /> <br /> <br /> <br /> * UserAjax.getUsersList.dwr - Enumerate all users with IDs, names, emails<br /> <br /> * RoleAjax.getUserRole.dwr - Get user role information<br /> <br /> * RoleAjax.getRole.dwr - Get role details<br /> <br /> * RoleAjax.getRolePermissions.dwr - View role permissions<br /> <br /> * RoleAjax.isPermissionableInheriting.dwr - Check permission inheritance<br /> <br /> * RoleAjax.getCurrentCascadePermissionsJobs.dwr - View permission cascade jobs<br /> <br /> * ThreadMonitorTool.getThreads.dwr - Monitor system threads; and,<br /> <br /> * CRITICAL - Privilege Escalation: RoleAjax.saveRolePermission.dwr - Modify role permissions<br /> <br /> <br /> Overall CVSS for the above findings:<br /> <br /> <br /> <br /> * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L <br /> <br /> * Score: 9.1 (Critical)

Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand

Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

The "reset password" login page accepted an HTML injection via URL parameters.<br /> <br /> This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E <br /> <br /> This will result in a view along these lines:<br /> <br /> <br /> <br /> <br /> <br /> * OWASP Top 10 - A03: Injection<br /> * CVSS Score: 5.4<br /> * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator <br /> * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&amp;... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.

Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.

Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.

A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.