Insecure permissions in Splashin iOS v2.0 expose precise location data for targeted users to unauthenticated network attackers via broken access control. The flaw, classified under CWE-284 (Improper Access Control), allows any remote party to query location information without credentials, bypassing the application's intended authorization model. No public exploit identified at time of analysis is inaccurate here - a publicly available proof-of-concept is documented in the referenced researcher disclosure, though EPSS remains low (0.24%, 15th percentile), suggesting opportunistic exploitation has not yet materialized at scale.
Cross-site request forgery in StudentManage v1.0 (DayCloud) allows a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim by luring them to a malicious webpage that auto-submits forged requests to the application. All default installations of v1.0 are affected per CPE data; no patched release has been identified. A publicly available proof-of-concept exploit exists, though no active exploitation has been recorded in CISA KEV and EPSS sits at a very low 0.19%.
A vulnerability classified as critical was found in code-projects Food Ordering Review System 1.0. This vulnerability affects unknown code of the file /pages/signup_function.php. The manipulation of the argument fname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Splashin iOS v2.0 fails to enforce server-side rate limiting on location update frequency for free-tier accounts, allowing free users to bypass tier-based restrictions and submit location updates at an unrestricted rate. Confirmed by CPE (cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*), this business logic flaw exposes the platform's API to abuse by any free-tier account holder. A publicly available proof-of-concept is referenced via NVD exploit tag; EPSS sits at 0.36% (28th percentile), indicating low probability of widespread automated exploitation.
Stored XSS in DayCloud's StudentManage v1.0 allows an authenticated administrative user to inject malicious JavaScript via the 'Add A New Student' module, which executes in the browser of any user who subsequently views the affected record. The Scope:Changed metric confirms the injected script runs in a different security context (the victim's browser session), enabling session hijacking or credential theft. No active exploitation is confirmed via CISA KEV, though a public proof-of-concept exists on GitHub; EPSS at 0.22% (13th percentile) reflects low observed exploitation activity.
Stored cross-site scripting in DayCloud StudentManage v1.0 allows an authenticated administrator to inject malicious JavaScript via the Add A New Course module, which then executes in the browsers of other users who view the affected course content. The CVSS vector (PR:H/UI:R/S:C) confirms this requires admin-level access and victim interaction, with scope change reflecting script execution in a different user's browser context. A public proof-of-concept is available on GitHub, though EPSS sits at 0.22% (13th percentile), and the vulnerability is not listed in CISA KEV, indicating no observed widespread exploitation.
Stored cross-site scripting in MRCMS 3.1.2's admin group management endpoint allows an authenticated administrator to inject malicious JavaScript via /admin/group/save.do, which executes in the browser of any other admin who subsequently visits the affected page. The scope-changed CVSS vector (S:C) confirms the impact crosses the security boundary from the injecting session to other users' sessions. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.22% (13th percentile), indicating limited observed exploitation activity at time of analysis.
Stored cross-site scripting in DayCloud's StudentManage v1.0 allows authenticated administrators to inject malicious JavaScript via the Add A New Teacher module, which executes in victims' browsers when they load the affected page. The CVSS vector (PR:H, UI:R, S:C) confirms exploitation is gated behind high privileges and requires victim interaction, but the scope change flag reflects cross-user browser impact. A public proof-of-concept is available on GitHub; however, EPSS at 0.22% (13th percentile) and no CISA KEV listing indicate no confirmed widespread exploitation at time of analysis.
Unauthenticated arbitrary file read in Agorum Core open v11.9.2 and v11.10.1 exposes the underlying filesystem to any network-accessible attacker via the dynawebservice component. The access control failure (CWE-284) requires no authentication, no user interaction, and no special configuration - any exposed instance of these two specific versions is vulnerable. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-prerequisite network vector makes this trivially exploitable once an attacker identifies the endpoint, and the ECM context means sensitive documents, credentials, and configuration files are likely stored on the affected system.
XML External Entity (XXE) injection in agorum core open's RSSReader endpoint enables remote attackers to exfiltrate sensitive server-side data by submitting crafted XML payloads. Affected versions are v11.9.2 and v11.10.1 of this document management platform. EPSS exploitation probability sits at 0.22% (13th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA's KEV catalog - indicating low observed exploitation pressure despite the network-accessible, unauthenticated attack surface described by the CVSS vector.
Server-Side Request Forgery in Agorum core open's TunnelServlet component exposes internal and external network resources to unauthenticated remote attackers through crafted HTTP requests. Affected versions are 11.9.2 and 11.10.1 of the agorum Software GmbH document management platform. No active exploitation is confirmed and the EPSS score sits at the 10th percentile (0.20%), indicating low observed exploitation pressure at time of analysis, though the zero-authentication requirement lowers the barrier for opportunistic scanning.
Privilege escalation in Agorum core open v11.9.2 and v11.10.1 allows authenticated users to elevate their privileges to Administrator level, gaining access to sensitive components and information within the document management platform. The vulnerability stems from incorrect access control (CWE-284), meaning the application fails to properly enforce authorization boundaries between standard user and administrative roles. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.20% at the 10th percentile confirms low current exploitation interest, though the impact of gaining full admin access warrants prompt remediation.
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manage-users role to escalate privileges to realm-admin through improper privilege enforcement. When FGAPv2 is enabled, this vulnerability enables unauthorized elevation of administrative access rights, compromising the separation of administrative duties. No public exploit code or active exploitation has been identified at the time of analysis.
SQL Injection in B1.lt WordPress plugin up to version 2.2.56 allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'id' parameter. The vulnerability requires valid user credentials and network access but involves minimal interaction, making it a moderate risk for WordPress installations with many trusted users. No public exploit code or active exploitation has been confirmed.
Authorization Bypass Through User-Controlled Key vulnerability in Vidco Software VOC TESTER allows Forceful Browsing.41.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Block Editor Gallery Slider plugin for WordPress up to version 1.1.1 allows authenticated Subscriber-level attackers to modify post metadata for arbitrary posts due to a missing capability check in the classic_gallery_slider_options() function. The vulnerability has a CVSS score of 4.3 and requires only low-privileged authenticated access with no user interaction, but carries limited impact (data integrity only, no confidentiality or availability breach). No public exploit code or active exploitation has been identified at time of analysis.