Command injection in Tenda AC7 firmware 15.03.06.44 via the /goform/AdvSetLanip endpoint allows authenticated remote attackers to execute arbitrary commands with low impact on confidentiality, integrity, and availability. The vulnerability requires valid login credentials (PR:L) and affects the lanIp parameter. Publicly available exploit code exists, and EPSS scoring of 0.39% indicates low real-world exploitation probability despite public POC availability.
Insecure inherited permissions in Portabilis i-Educar up to version 2.9.10 allow authenticated remote attackers to escalate privileges through the User Type Handler component in AccessLevelController.php, potentially gaining unauthorized access to protected functionality. The vulnerability requires valid login credentials (PR:L) but carries low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists, though EPSS score of 0.06% (19th percentile) suggests limited real-world exploitation despite public disclosure.
Stored cross-site scripting (XSS) in code-projects Voting System 1.0 allows remote attackers to inject malicious scripts via the Firstname, Lastname, or Platform parameters in /admin/voters_add.php, requiring user interaction to trigger payload execution. The vulnerability has a low CVSS score (2.1) due to UI requirement, but publicly available exploit code exists and the attack requires no authentication or special configuration.
SQL injection vulnerability in Courier Management System 1.0 allows authenticated remote attackers to manipulate the Shippername parameter in /add-courier.php, enabling database queries to be executed with limited confidentiality and integrity impact. The publicly available exploit code and low CVSS score (2.1) reflect the requirement for valid authentication credentials, limiting real-world risk despite confirmed exploit availability.
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /admin/category.php, with publicly available exploit code. CVSS score of 2.1 reflects limited confidentiality impact and requirement for low-privilege authentication; EPSS of 0.03% indicates very low real-world exploitation probability despite public POC availability.
SQL injection in code-projects Student Result Manager 1.0 allows authenticated remote attackers to manipulate roll, name, or GPA parameters in Database.java, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid login credentials and has been publicly disclosed with exploit code available, but carries very low exploitation probability (EPSS 0.03%) and minimal security impact due to restricted scope.
SQL injection in Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the state parameter in /cms/admin/state.php, enabling data exfiltration or modification with limited scope. Publicly available exploit code exists; however, the CVSS 2.1 score and 0.03% EPSS percentile indicate low real-world exploitation risk despite the presence of proof-of-concept.
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the cid parameter in /cms/users/complaint-details.php, leading to limited data exposure. The vulnerability requires valid user authentication and has a publicly available proof-of-concept, but the EPSS score of 0.03% and CVSS impact metrics (VC:L/VI:L/VA:L) indicate low real-world exploitation probability despite public availability of exploit code.
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the cid parameter in /cms/users/register-complaint.php, resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the EPSS score of 0.03% and requirement for prior authentication significantly constrain real-world exploitation risk compared to the CVSSv4 score of 2.1.
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the Username parameter in /cms/users/index.php and execute arbitrary SQL queries with limited impact to confidentiality, integrity, and availability. The CVSS 2.1 score and 0.03% EPSS percentile indicate low real-world risk despite public exploit availability, likely due to the authentication requirement (PR:L) and constrained impact scope.