This archive contains all of the 130 exploits added to Packet Storm in January, 2023.
ea59f7d618d1f8fe8f750faa31ef909e70fc61e5274fef5dd74a9c65027bb7bf
Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.
00cb85e5ab25f2d5091aa8c72d9d5252d08919dce9dbd37743bea7469e5dbc51
PHPJabbers Business Directory Script version 3.2 suffers from a cross site scripting vulnerability.
d2557e411d456bd34555a2aacdc580e243ce6132afdd23ed9686aef6b539969e
PHPJabbers Auto Classifieds Script version 3.2 suffers from a cross site scripting vulnerability.
a763dffdb3d9d66af1165c31dde196ceb865df88853aef37d01989c9d9427a14
mRemoteNG version 1.76.20 suffers from a weak permission privilege escalation vulnerability.
aa08068eda449c43f5c76d0ec56fca19930c2ac6719246bec693e3037f692da6
PHPJabbers Car Park Booking System version 2.0 suffers from a cross site scripting vulnerability.
692a826df097e4229d209944d70fe7f7799c532b5e037c41aba1f0ba9bebb91b
Zstore version 6.6.0 suffers from a cross site scripting vulnerability.
653905fd4efa9030f79aa84e990c72cb875f0be6933e755e36678f4aa2c9a0c8
PHPJabbers Event Ticketing System Script version 1.0 suffers from a cross site scripting vulnerability.
8fab16cdc74a1a2eec65f585cba5d399670dcb6b308f9255fea72f9fbd84df1a
PHPJabbers Travel Tours Script version 1.0 suffers from a remote SQL injection vulnerability.
ca11533d20acd6bee2a211d4e3de4c988afb414b29686bd6473042b4b019f864
PHPJabbers Travel Tours Script version 1.0 suffers from a cross site scripting vulnerability.
0a7f5b626d6393bcc255133a21566a6f163578785f29510c84d73418a28fd1fe
PHPJabbers Property Listing Script version 3.1 suffers from a remote SQL injection vulnerability.
a31fd6b56b7d7115984b30a6505b1ddcaee6cb5274d5e467b5411856220a7fd9
PHPJabbers Property Listing Script version 3.1 suffers from a cross site scripting vulnerability.
302f3f53c1a0e807af0b328668c5cb8b327fd8eb8e22a11b9af1c012ac5056ca
Razer Synapse version 3.7.0731.072516 suffers from a local privilege escalation due to a DLL hijacking vulnerability.
b44857059280bd0c0f9219f18143442834c6560bf766c7639b847e7be7cb3329
Micro Focus GroupWise is a messaging software for email and personal information management. Trovent Security GmbH discovered that the GroupWise web application transmits the session ID in HTTP GET requests in the URL when email content is accessed. The exposed session ID can be recorded in the browser history of the client and in log files of the web server or reverse proxy server. A possible attacker with access to the browser history or the server log files is able to take control of the user session with the help of the session ID. Versions prior to 18.4.2 are affected.
45d877f2bc8d1d68f308fad7fe918c90f982d284964eee41b93805a3c6fb1ad2
PHPJabbers Car Rental Script version 3.0 suffers from a remote SQL injection vulnerability.
da611ec0ad9f60f8789a0b37c087ba77ab18171db28eb201e5d8c4312ef65403
Secure Web Gateway version 10.2.11 suffers from a cross site scripting vulnerability. RedTeam Pentesting identified a vulnerability which allows attackers to craft URLs to any third-party website that result in arbitrary content to be injected into the response when accessed through the Secure Web Gateway. While it is possible to inject arbitrary content types, the primary risk arises from JavaScript code allowing for cross site scripting.
f0bbf9c04ccb2873653f86035ec08f7b9388e540d28d2f705eaf53a75692bfea
Inout Jobs Portal version 2.2.2 suffers from a cross site scripting vulnerability.
6f3be2d31feb3d9c7a0c800ce5810ede460356e4aec96ec7e16f05115241db1a
Inout Jobs Portal version 2.2.2 suffers from a remote SQL injection vulnerability.
9f8b4b7af85a0ac5ff2162e8db5b902d70686fae9043406cbad209c183367ccf
Inout Music version 5.1.1 suffers from a remote SQL injection vulnerability.
77e27e4a02fc7a2e3b12e40b81fb4fcccd78c51d27a51a95afd57db9e134c114
This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user.
e63c1aedc4dd728df608137b19687c9e69ec0ae051a555280b58f4cc45f05eb6
Inout Search Engine version 10.1.3 suffers from a cross site scripting vulnerability.
c32df83849d238b031091b57cbe551049a10b3a034d6d248af9e813f15050385
Inout Homestay version 2.0 suffers from a remote SQL injection vulnerability.
ddd17c54c1ad77326efd7f4df4ae548147ee2c630ceb187f992d756190a45d19
Active eCommerce CMS version 6.5.0 suffers from a persistent cross site scripting vulnerability.
bd1b8525d134e8539153037cbd2b3ebad280be2852c627e63b5bf9be93e5ebd0
ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV injection attacks. This type of attack occurs when an attacker is able to manipulate the data that is imported or exported in a CSV file, in order to execute malicious code or gain unauthorized access to sensitive information. This vulnerability can be exploited by an attacker by injecting specially crafted data into a CSV file, which is then imported into the ERPGo system. This can potentially allow the attacker to gain access to sensitive information, such as login credentials or financial data, or to execute malicious code on the system.
801e5c6092682a2b27f17597b4056f7e77672f236eae2def67958ed0d9232464
Inout RealEstate version 2.1.3 suffers from a remote SQL injection vulnerability.
ffa3447c61c56fe4c310a17f891e52d6098984d03dfc9fd65cd0e880839be912