Overview CVE-2025-13246 is a medium-severity path traversal vulnerability discovered in shsuishang’s ShopSuite ModulithShop. This vulnerability allows a remote attacker to potentially access sensitive files or directories on the server. The affected component resides within the JwtAuthenticationFilter class, posing a significant risk to the application’s security. Technical Details The vulnerability exists within the JwtAuthenticationFilter function located in the src/main/java/com/suisung/shopsuite/common/security/JwtAuthenticationFilter.java file of the ShopSuite ModulithShop application. By manipulating the input to this function, an attacker can bypass intended security checks and access files or directories outside of the permitted scope. The vulnerability has been confirmed in versions up to commit 45a99398cec3b7ad7ff9383694f0b53339f2d35a. A…
-
-
Overview CVE-2025-13245 describes a Cross-Site Scripting (XSS) vulnerability identified in the Code-Projects Student Information System version 2.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user data or system integrity. The vulnerable component resides within the /editprofile.php file. Technical Details The vulnerability exists due to insufficient input sanitization within the /editprofile.php file. An attacker can exploit this by crafting a malicious URL or form submission that injects JavaScript code. When a user interacts with the affected page, the injected script will execute in their browser, potentially allowing the attacker to steal cookies, redirect the…
-
Overview CVE-2025-13244 is a medium severity Cross-Site Scripting (XSS) vulnerability found in Student Information System version 2.0, a project by code-projects.org. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability exists in the /register.php file and can be exploited remotely. Public exploit code is available, increasing the risk of active exploitation. Technical Details The vulnerability resides within the /register.php file, specifically in an unidentified function handling user input during the registration process. Improper sanitization of user-supplied data allows an attacker to inject malicious JavaScript code. This injected code…
-
Overview A medium severity SQL Injection vulnerability, identified as CVE-2025-13243, has been discovered in code-projects Student Information System 2.0. This vulnerability could allow a remote attacker to execute arbitrary SQL commands, potentially leading to data breaches, modification of data, or unauthorized access. This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation strategies. Technical Details The vulnerability resides in the /editprofile.php file of the Student Information System 2.0. Specifically, an unknown function within this file is susceptible to SQL Injection. An attacker can manipulate input parameters to inject malicious SQL code. The exploit is publicly…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13242, has been discovered in code-projects Student Information System version 2.0. This vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, system compromise, and unauthorized access to sensitive student information. Technical Details The vulnerability exists in the /register.php file of the Student Information System. An attacker can manipulate input parameters during the registration process to inject malicious SQL code. Due to insufficient input sanitization, the injected SQL code is then executed by the database server. The exploit is publicly available, increasing the risk of widespread exploitation. CVSS…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13241, has been discovered in code-projects Student Information System 2.0. This flaw allows a remote attacker to execute arbitrary SQL queries by manipulating the Username argument in the /index.php file. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected system. Technical Details The vulnerability lies in the insufficient sanitization of user-supplied input in the Username parameter of the /index.php file. An attacker can inject malicious SQL code into this parameter, which is then executed directly against the database. This can allow the attacker to bypass authentication,…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13240, has been discovered in the code-projects Student Information System 2.0. This vulnerability allows remote attackers to execute arbitrary SQL commands by manipulating the ‘s’ argument in the /searchquery.php file. With a CVSS score of 7.3, this vulnerability poses a significant risk to systems running the affected software. An exploit is publicly available, increasing the urgency for immediate mitigation. Technical Details The vulnerability resides in the /searchquery.php file of the Student Information System 2.0. Specifically, the application fails to properly sanitize user-supplied input to the ‘s’ parameter. An attacker can craft a…
-
Overview CVE-2025-13239 details a medium severity security vulnerability found in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution version 5. This vulnerability allows for remote exploitation, potentially leading to a disruption of expected behavioral workflows during the checkout process. The vendor has been notified but has not responded to the disclosure. Technical Details The vulnerability resides within the /submit_checkout file. Specifically, the order_total_amount and/or cart_total_amount arguments can be manipulated to influence the checkout workflow. An attacker can remotely manipulate these values, leading to unintended consequences in the ordering and payment process. The exact nature of the unintended consequences is not…
-
Overview CVE-2025-13238 describes a medium-severity vulnerability found in Bdtask Flight Booking Software version 4. This security flaw allows for unrestricted file uploads, potentially enabling attackers to execute arbitrary code on the server. The vendor has been notified but has not yet responded to address this vulnerability. Technical Details The vulnerability resides within the /agent/profile/edit endpoint, specifically on the Edit Profile Page. An attacker can manipulate the file upload process to bypass security checks and upload malicious files, such as PHP scripts or other executable content. This unrestricted upload capability can be exploited remotely. The vulnerability allows an attacker to upload…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13237, has been discovered in itsourcecode Inventory Management System version 1.0. This flaw allows remote attackers to execute arbitrary SQL commands through the manipulation of the U_USERNAME argument in the /LogSignModal.PHP file. This vulnerability has been publicly disclosed and may be actively exploited. Technical Details The vulnerability stems from inadequate sanitization of user-supplied input within the /LogSignModal.PHP file. Specifically, the U_USERNAME parameter, used during login or signup processes, is not properly escaped or validated before being used in a SQL query. This allows an attacker to inject malicious SQL code into the…