Command injection in D-Link DIR-816L firmware up to version 2.06B01 allows authenticated remote attackers to execute arbitrary system commands via the lxmldbc_system function in the Environment Variable Handler component. The vulnerability affects end-of-life hardware no longer receiving vendor support, with public exploit code available and low real-world exploitation probability despite network accessibility, limited only by requirement for valid authentication credentials.
Cross-site request forgery in PHPGurukul Complaint Management System 2.0 allows remote attackers to perform unauthorized actions via crafted requests requiring user interaction. The vulnerability has a low CVSS score of 2.1 due to required user interaction (UI:P) and limited integrity impact, but publicly available exploit code exists, making it actionable for targeted attacks against installations.
Cross-site scripting (XSS) in Campcodes Online Movie Theater Seat Reservation System 1.0 allows authenticated remote attackers to inject malicious scripts via the Firstname or Lastname parameters on the reserve page, requiring user interaction to trigger. The vulnerability has a low CVSS score of 2.0 due to authentication and user interaction requirements, but publicly available exploit code exists and the vulnerability is classified as problematic with potential for phishing or session hijacking attacks.
Reflected cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated remote attackers to inject malicious JavaScript via the visname parameter in bwdates-passreports-details.php, with user interaction required. Publicly available exploit code exists, though EPSS exploitation probability remains low at 0.05%, indicating limited real-world weaponization despite disclosure.
Stored cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users to inject malicious scripts via the visname parameter in pass-details.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:P) but can be exploited remotely by any authenticated user with access to the HTTP POST request handler. Publicly available exploit code exists, though the low EPSS score (0.05%) and requirement for user interaction and authentication suggest limited real-world exploitation risk.
Stored cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users to inject malicious scripts via the categoryname parameter in /category.php, which are subsequently reflected to other users. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its direct impact to user account compromise or session hijacking of visiting administrators. Public exploit code is available and exploitation probability is low (EPSS 0.05%), suggesting limited real-world weaponization despite public disclosure.
Reflected cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the visname parameter in /bwdates-reports.php, executing arbitrary JavaScript in victim browsers when user interaction occurs. Publicly available exploit code exists; EPSS score of 0.05% indicates low real-world exploitation probability despite public POC availability.
Stored cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated remote attackers to inject malicious JavaScript via the visname parameter in /visitor-detail.php, which is then reflected to other users. The vulnerability requires user interaction (clicking a malicious link) but affects confidentiality and integrity of the application. Exploit code is publicly available on GitHub, though real-world exploitation remains limited (EPSS 0.05%).
Cross-site scripting vulnerability in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the visname parameter in the /manage-newvisitors.php endpoint, exploitable only when the victim user clicks a crafted link. The CVSS score of 1.9 reflects the severe privilege requirement (PR:H), mandatory user interaction (UI:P), and limited impact (integrity only); EPSS exploitation probability is minimal at 0.05%, indicating this poses negligible real-world risk despite publicly available exploit code.