Security Vulnerabilities - CVEs Published In September 2024
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to download arbitrary files from the C-MOR system via a path traversal attack. It was found out that different functionalities are vulnerable to path traversal attacks, due to insufficient user input validation. For instance, the download functionality for backups provided by the script download-bkf.pml is vulnerable to a path traversal attack via the parameter bkf. This enables an authenticated user to download arbitrary files as Linux user www-data from the C-MOR system. Another path traversal attack is in the script show-movies.pml, which can be exploited via the parameter cam.
CVSS Score
7.1
EPSS Score
0.022
Published
2024-09-05
itsourcecode Alton Management System 1.0 is vulnerable to SQL Injection in /noncombo_save.php via the "menu" parameter.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-05
Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through multiple parameters in /jobportal/index.php.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-09-05
Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through user_email parameter in /jobportal/admin/login.php.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-09-05
SQL injection vulnerability, by which an attacker could send a specially designed query through id parameter in /jobportal/admin/employee/index.php, and retrieve all the information stored in it.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-09-05
SQL injection vulnerability, by which an attacker could send a specially designed query through CATEGORY parameter in /jobportal/admin/vacancy/controller.php, and retrieve all the information stored in it.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-09-05
Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through JOBID and USERNAME parameters in /jobportal/process.php.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-09-05
SQL injection vulnerability, by which an attacker could send a specially designed query through user_id parameter in /jobportal/admin/user/controller.php, and retrieve all the information stored in it.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-09-05
SQL injection vulnerability, by which an attacker could send a specially designed query through CATEGORY parameter in /jobportal/admin/category/controller.php, and retrieve all the information stored in it.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-09-05
SQL injection vulnerability, by which an attacker could send a specially designed query through id parameter in /jobportal/admin/category/index.php, and retrieve all the information stored in it.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-09-05