Realguoxiufeng

#12502of 53,633
21.8Total CVSS
Vulnerabilities · 3
Medium
1
High
1
Critical
1
PT-2022-27363
4.8
2022-12-07
Unknown · Online Leave Management System · CVE-2022-45008
**Name of the Vulnerable Software and Affected Versions** Online Leave Management System version 1.0 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability is located in the `/leave system/admin/?page=maintenance/department` component and allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Name` field under the Create New module. **Recommendations** For Online Leave Management System version 1.0, as a temporary workaround, consider restricting access to the `/leave system/admin/?page=maintenance/department` component to minimize the risk of exploitation. Avoid using the `Name` field in the Create New module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-27364
7.2
2022-12-07
Unknown · Online Leave Management System · CVE-2022-45009
**Name of the Vulnerable Software and Affected Versions** Online Leave Management System version 1.0 **Description** The issue allows attackers to execute arbitrary code via a crafted PHP file, exploiting an arbitrary file upload vulnerability at the "/leave system/classes/SystemSettings.php?f=update settings" API endpoint. **Recommendations** For version 1.0, consider disabling the file upload functionality in the SystemSettings.php file until a patch is available to prevent exploitation. Restrict access to the /leave system/classes/SystemSettings.php?f=update settings endpoint to minimize the risk of arbitrary code execution.
PT-2022-27366
9.8
2022-12-07
Unknown · Simple Phone Book/Directory Web App · CVE-2022-45010
**Name of the Vulnerable Software and Affected Versions** Simple Phone Book/Directory Web App version 1.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `editid` parameter at the "/PhoneBook/edit.php" API endpoint. **Recommendations** For Simple Phone Book/Directory Web App version 1.0, avoid using the `editid` parameter in the "/PhoneBook/edit.php" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "/PhoneBook/edit.php" endpoint to minimize the risk of exploitation.