Client Details System
Monthly
Authentication bypass in code-projects Client Details System 1.0 allows authenticated remote attackers to gain unauthorized access to protected functionality via an unknown vector. The vulnerability has publicly available exploit code but is rated low-risk due to CVSS 2.1 score and 0.01% EPSS, indicating limited real-world exploitation potential despite remote attack capability.
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated users with high privileges to inject malicious scripts via the /admin/manage-users.php endpoint, which are then executed in the browsers of other users who interact with the managed user data. The vulnerability requires administrative privileges and user interaction (UI:P) to exploit, resulting in limited integrity impact (VI:L). Public exploit code is available, though the extremely low CVSS score (1.9) and EPSS probability (0.04%) reflect the high privilege barrier and user interaction requirement that significantly constrain real-world risk.
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated high-privilege users to inject malicious scripts into the /admin/clientview.php endpoint that execute in the context of other users' browsers. The vulnerability requires user interaction (victim must view affected content) and high administrative privileges to exploit, limiting real-world risk despite public exploit disclosure. EPSS score of 0.03% reflects the stringent authentication and interaction requirements that prevent widespread automated exploitation.
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows high-privileged authenticated users to inject malicious scripts via the /update-clients.php endpoint, requiring user interaction to execute. The vulnerability carries a low CVSS score of 1.9 due to high privilege requirements (PR:H) and mandatory user interaction (UI:P), but publicly available exploit code exists, making it actionable for insider threats or social engineering scenarios targeting administrators.
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows remote attackers with high privileges and user interaction to inject malicious scripts via the /welcome.php file, resulting in limited integrity impact. The vulnerability has been publicly disclosed with exploit code available, though real-world exploitation is constrained by the requirement for high administrative privileges and user interaction, reflected in the exceptionally low CVSS score of 1.9 and EPSS probability of 0.03%.
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID parameter in clientdetails/welcome.php, enabling database queries with limited scope impact. CVSS 2.1 reflects low severity due to authentication requirement (PR:L) and limited confidentiality/integrity exposure (VC:L/VI:L), though publicly available exploit code exists and EPSS scoring (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite public POC availability.
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid parameter in /admin/update-profile.php, enabling arbitrary database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.04% and CVSS 2.1 severity indicate low real-world exploitation probability despite low barriers to attack (network-accessible, low complexity, no user interaction required).
Authentication bypass in code-projects Client Details System 1.0 allows authenticated remote attackers to gain unauthorized access to protected functionality via an unknown vector. The vulnerability has publicly available exploit code but is rated low-risk due to CVSS 2.1 score and 0.01% EPSS, indicating limited real-world exploitation potential despite remote attack capability.
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated users with high privileges to inject malicious scripts via the /admin/manage-users.php endpoint, which are then executed in the browsers of other users who interact with the managed user data. The vulnerability requires administrative privileges and user interaction (UI:P) to exploit, resulting in limited integrity impact (VI:L). Public exploit code is available, though the extremely low CVSS score (1.9) and EPSS probability (0.04%) reflect the high privilege barrier and user interaction requirement that significantly constrain real-world risk.
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated high-privilege users to inject malicious scripts into the /admin/clientview.php endpoint that execute in the context of other users' browsers. The vulnerability requires user interaction (victim must view affected content) and high administrative privileges to exploit, limiting real-world risk despite public exploit disclosure. EPSS score of 0.03% reflects the stringent authentication and interaction requirements that prevent widespread automated exploitation.
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows high-privileged authenticated users to inject malicious scripts via the /update-clients.php endpoint, requiring user interaction to execute. The vulnerability carries a low CVSS score of 1.9 due to high privilege requirements (PR:H) and mandatory user interaction (UI:P), but publicly available exploit code exists, making it actionable for insider threats or social engineering scenarios targeting administrators.
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows remote attackers with high privileges and user interaction to inject malicious scripts via the /welcome.php file, resulting in limited integrity impact. The vulnerability has been publicly disclosed with exploit code available, though real-world exploitation is constrained by the requirement for high administrative privileges and user interaction, reflected in the exceptionally low CVSS score of 1.9 and EPSS probability of 0.03%.
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID parameter in clientdetails/welcome.php, enabling database queries with limited scope impact. CVSS 2.1 reflects low severity due to authentication requirement (PR:L) and limited confidentiality/integrity exposure (VC:L/VI:L), though publicly available exploit code exists and EPSS scoring (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite public POC availability.
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid parameter in /admin/update-profile.php, enabling arbitrary database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.04% and CVSS 2.1 severity indicate low real-world exploitation probability despite low barriers to attack (network-accessible, low complexity, no user interaction required).