enferas

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12255

In file InvoicePlane-1.5.4\application\modules\quotes\controllers\Ajax.php

public function save()
{
  $db_array = array(
      'quote_password' => $this->input->post('quote_password'),
  );

enferas

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7223

In file InvoicePlane-1.5.4\application\modules\invoices\controllers\Ajax.php

public function save(){
$db_array = [
                'invoice_password' => $this->input->post('invoice_password'),
            ];

$this->mdl_invoices->save($invoice_id, $db_array);

enferas

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16772

In file: Hoosk-master\hoosk\hoosk0\models\Hoosk_model.php

public function createPage(){
//....
$contentdata = array(
    'pageID'          => $rows->pageID,
    'pageTitle'       => $this->input->post('pageTitle'),

enferas

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28586

In file Hoosk-master\hoosk\hoosk0\models\Hoosk_model.php

public function updatePage($id){
    // Update the page

    if ($this->input->post('content') != "") {
        $sirTrevorInput = $this->input->post('content');

enferas

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26043

path:

In file Hoosk-master\hoosk\hoosk0\models\Hoosk_model.php

if ($this->input->post('siteTitle') != "") {
    $data['siteTitle'] = $this->input->post('siteTitle');
}

enferas

CVE-2023-23026 is assigned

Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 sales management system 1.0, allows attackers to execute arbitrary code via the product_name and product_price inputs in file print.php.

Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code

Mutiple XSS vulnerabilities.

The input (sources) are saved directly in the database.

enferas

CVE-2023-23011 is assigned Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php

Link: https://github.com/InvoicePlane/InvoicePlane

Multiple XSS vulnerabilities.

Vulnerability1: In file InvoicePlane-development\application\modules\products\controllers\Ajax.php

enferas

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0372

In file app\Http\Controllers\V1\Admin\Settings\CompanyController.php

public function uploadAvatar(Request $request){
    //...
        $data = json_decode($request->avatar);
        $user->addMediaFromBase64($data->data)
            ->usingFileName($data->name)
 ->toMediaCollection('admin_avatar');

enferas

Link: https://www.invicti.com/web-applications-advisories/ns-18-038-reflected-cross-site-scripting-in-microweber/

In file userfiles\modules\content\controllers\Manager.php

function index($params){
//...
$post_toolbar_view = $this->views_dir . 'toolbar.php';

$toolbar = new View($post_toolbar_view);

enferas

Link: phoronix-test-suite/phoronix-test-suite#650

CVE-2022-40704 is assigned to this discovery.

XSS vulnerability.

In file https://github.com/phoronix-test-suite/phoronix-test-suite/blob/master/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php

\\line 41
// Note: the source