Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12255
In file InvoicePlane-1.5.4\application\modules\quotes\controllers\Ajax.php
public function save()
{
$db_array = array(
'quote_password' => $this->input->post('quote_password'),
);
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7223
In file InvoicePlane-1.5.4\application\modules\invoices\controllers\Ajax.php
public function save(){
$db_array = [
'invoice_password' => $this->input->post('invoice_password'),
];
$this->mdl_invoices->save($invoice_id, $db_array);
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16772
In file: Hoosk-master\hoosk\hoosk0\models\Hoosk_model.php
public function createPage(){
//....
$contentdata = array(
'pageID' => $rows->pageID,
'pageTitle' => $this->input->post('pageTitle'),
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28586
In file Hoosk-master\hoosk\hoosk0\models\Hoosk_model.php
public function updatePage($id){
// Update the page
if ($this->input->post('content') != "") {
$sirTrevorInput = $this->input->post('content');
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26043
path:
In file Hoosk-master\hoosk\hoosk0\models\Hoosk_model.php
if ($this->input->post('siteTitle') != "") {
$data['siteTitle'] = $this->input->post('siteTitle');
}
CVE-2023-23026 is assigned
Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 sales management system 1.0, allows attackers to execute arbitrary code via the product_name and product_price inputs in file print.php.
Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code
Mutiple XSS vulnerabilities.
The input (sources) are saved directly in the database.
CVE-2023-23011 is assigned Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php
Link: https://github.com/InvoicePlane/InvoicePlane
Multiple XSS vulnerabilities.
Vulnerability1: In file InvoicePlane-development\application\modules\products\controllers\Ajax.php
CVE-2023-23027 is assigned
Link: https://www.sourcecodester.com/php-codeigniter-expense-management-system-source-code
9 XSS vulnerabilities
Sinks in application/views/index.php
// line 195
<input name="" readonly="" type="text" class="form-control form-control-sm" value="<?php echo $row->name ?>" placeholder="" aria-label="Name">
CVE-2023-23026 is assigned
Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code
Mutiple XSS vulnerabilities.
The input (sources) are saved directly in the database.
// Controllers/Categories.php
$data = $this->input->post();
CVE-2023-23025 is asigned
Link: https://www.sourcecodester.com/php-codeigniter-hotel-management-system-source-code
22 XSS vulnerabilities in this project.
Sources will be saved in the database, then it will be printed without sanitization in the view files.
For example,