This repo includes the CVEs that discovered by our research group. - iot-sec23/IoT-CVE

CVE-2023-33495

There is an arbitrary file upload vulnerability in the background avatar upload. The CMS only verified the suffix of the file in the front end by js, and we found that we could upload the PHP scrip...

in framework/phpok_call.php, the function _userlist has a sql injection in some reasons, we can controll the value of variable $rs, so we can splice evil sql query you can see, it also include sens...

A reflected XSS vulnerability was found in Allusio V1.8.1. An attacker can inject arbitrary web script or HTML through the "path" parameter in the Browse board, causing a reflected XSS at...

i found a sql injection vulnerability in the backend management system of PHPMyWind 5.6 The relevant source code is as follows: //修改管理员 else if($action == 'update') { //创始人账号不允许更改状态 if($id ...

After login background, add user place CSRF POC: <script>history.pushState('', '', '/')</script>

1.In the set_cache method of the \coreframe\app\core\libs\function\common.func.php file, when $data is not of the array type, $data will be written directly to the php file. function set_cache($fil...

There is a stored XSS vulnerability in the comment edit and software version is 11.6.4. The following poc is valid: "'<img src=1 onerror=alert(document.cookie); /> <div onmouseove...

CSRF exists in the background (administrator) to delete users: The backend only cares about the values of the parameters' deleteuserids' and 'updateuserids' So the attacker only nee...

Storage XSS vulnerability in News release. poc: <script>alert("test")</script> Successful execution of payload code

In the background, you can upload the PHP file by changing the image suffix to PHP, resulting in command execution. url：http://192.168.18.143/admin/index.php?r=admin-user%2Fupdate-self

typora 0.9.79 tested on win10,Mac OS using mermaid,Iframe won't be sandboxed XSS POC: ```mermaid graph TD B --> C{<iframe srcdoc=&#60&#115&#99&#114&#105&#112&#...

在2.1.3版本中，前台对文章评论处，可以插入获取管理员cookie的XSS语句，管理员访问登录后台即可触发XSS。

Pluck-4.7.10 admin background exists a remote command execution vulnerability it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files ...

pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme Demo: After the installation is successful, go to the management background. options-...

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page Vulnerability location： data\inc\functions.admin.php 531-535 line Saves the hidden pa...

CSRF vulnerability There is a CSRF vulnerability to add an administrator account After the administrator logged in, open the following page poc Hack.html-----add an administrator accoun <html&gt...

First Enter the page: http://127.0.0.1/taocms/admin/admin.php?action=frame&ctrl=iframes and the payload is: Then,we can see the result.