Klik Socialmediawebsite
Monthly
Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP POST request parameters to the application's input handler, achieving partial compromise of confidentiality, integrity, and availability. Classified under CWE-74 and tagged as Code Injection, the flaw carries a CVSS 4.0 score of 5.5 (Medium) with confirmed proof-of-concept exploit code publicly available (E:P). Despite the POC, EPSS places exploitation probability at 0.04% (14th percentile), indicating low observed real-world exploitation activity and a narrow effective target base.
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject arbitrary content or code through the application's parameter handler, contingent on passive user interaction. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact scoped exclusively to the vulnerable system with no lateral impact. Publicly available exploit code exists per the E:P exploit maturity metric and SSVC poc classification, though EPSS at 0.04% (13th percentile) and the non-KEV status indicate no observed widespread exploitation.
A reflected cross-site scripting (XSS) vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious JavaScript into the web browser of a victim via the poll parameter in poll.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
KLiK SocialMediaWebsite version 1.0.1 from msaad1999 has a reflected cross-site scripting (XSS) vulnerability which may allow remote attackers to execute arbitrary JavaScript in the web browser of a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A reflected cross-site scripting (XSS) vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in offer.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
KLiK SocialMediaWebsite version v1.0.1 is vulnerable to SQL Injection via the profile.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP POST request parameters to the application's input handler, achieving partial compromise of confidentiality, integrity, and availability. Classified under CWE-74 and tagged as Code Injection, the flaw carries a CVSS 4.0 score of 5.5 (Medium) with confirmed proof-of-concept exploit code publicly available (E:P). Despite the POC, EPSS places exploitation probability at 0.04% (14th percentile), indicating low observed real-world exploitation activity and a narrow effective target base.
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject arbitrary content or code through the application's parameter handler, contingent on passive user interaction. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact scoped exclusively to the vulnerable system with no lateral impact. Publicly available exploit code exists per the E:P exploit maturity metric and SSVC poc classification, though EPSS at 0.04% (13th percentile) and the non-KEV status indicate no observed widespread exploitation.
A reflected cross-site scripting (XSS) vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious JavaScript into the web browser of a victim via the poll parameter in poll.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
KLiK SocialMediaWebsite version 1.0.1 from msaad1999 has a reflected cross-site scripting (XSS) vulnerability which may allow remote attackers to execute arbitrary JavaScript in the web browser of a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A reflected cross-site scripting (XSS) vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in offer.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
KLiK SocialMediaWebsite version v1.0.1 is vulnerable to SQL Injection via the profile.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.