vendor: https://github.com/sruupl/batflat
version: <= 1.3.6
An external control of file name or path vulnerability (CWE-73) is in inc/modules/settings/Admin.php.
At line 371, the file path and content to write are both partially controlled by the attacker.
Although the extension of the file is limited to .ini, the attacker can write a .user.ini file
that is supported by PHP running on fastcgi to make arbitrary code execution.
vendor: online-rental-property-manager
version: <= 7.1, fix in edb404c4e31966338762de3022d0e6cfac63ca2b
An XSS vulnerability (Cross site Scripting) (CWE-79) is in app/hooks/applicants_and_tenants_filter.php.
At line 93, The $FilterValue[1] is inserted into javascript string represented using single quotes
and is escaped by htmlspecialchars. However, htmlspecialchars doesn't escape ' without
the ENT_QUOTES flag. Therefore, an attacker can still exploit this by using ' to break out of
the javascript string and inject malicious Javascript code.
This allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies.
vendor: ihofmann/open-websoccer: A PHP based online football/soccer manager game. (github.com)
version: <= 5.2.3
php version: 5.x
An XSS vulnerability (Cross site Scripting) (CWE-79) is in websoccer/admin/forgot-password.php.
At line 129, The $_POST['inputEmail'] is inserted into the value attribute of <input> tag and is escaped by escapeOutput,
which is actually employs htmlspecialchars($message, ENT_COMPAT, 'UTF-8') at line 30
of websoccer/admin/functions.inc.php.
Vendor: https://github.com/xiebruce/PicUploader
version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be
A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryModel.php#L31
public function createOne($data){
$uploadTime = date('Y-m-d H:i:s');
$sql = 'INSERT INTO `'.self::$tableName.'`(`filename`, `url`, `size`, `created_at`, `mime`, `md5`, `upload_server`) VALUES("'.$data['filename'].'", "'.$data['url'].'", '.$data['size'].', "'.$uploadTime.'", "'.$data['mime'].'", "'.$data['md5'].'", "'.$data['uploadServer'].'")';
Vendor: https://github.com/xiebruce/PicUploader
version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be
A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryController.php#L189.
public function getByConditions($conditionArr){
$model = new HistoryModel();
try {
Vendor: https://github.com/xiebruce/PicUploader
version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be
A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryController.php#L107
$keyword = isset($_GET['keyword']) ? trim($_GET['keyword']) : '';
$model = new HistoryModel();
vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
A file inclusion vulnerability is in getLangFolderForEdit method of application/modules/admin/controllers/advanced_settings/Languages.php.
By controlling $_GET['editLang'], the attacker can make the server include .php files under specific directory.
The attacker can use CVE-2024-31821
to write malicous PHP code in log-xxxx.php and use this vulnerability to include PHP files under application/logs/ (At this point, BASEPATH has been set, allowing bypass of the check at the beginning of the log file.),
which leads to remote code execution.
vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
A second-order SQL injection vulnerability is in manageQuantitiesAndProcurement method of application/modules/admin/models/Orders_model.php.
The $product['product_quantity'] and $product['product_info']['id'] are inserted into SQL statements without any sanitizers.
These two values come from previous query result and users can control them in setOrder method of application/models/Public_model.php,
which leads to a SQL injection.
vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
An arbitrary file deletion (CWE-73) vulnerability is in application/modules/admin/controllers/ecommerce/Publish.php.
In the method removeSecondaryImage, the attacker can delete any file in the server by controlling $_POST['folder'] and
$_POST['image'] after authorization.
public function removeSecondaryImage()
vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
A code injection(CWE-94) vulnerability is in application/modules/admin/controllers/advanced_settings/Languages.php.
In the saveLanguageFiles method, the element of $_POST['php_keys'] is escaped by htmlentities and enclosed in two single
quotes as the key of $lang. However, htmlentities doesn't escape ' , which allows the attacker to escape from single quotes and inject malicious PHP code, leading to authenticated remote code execution.
private function saveLanguageFiles()