Oretnom23: community verdicts
12 notable / known-exploited Oretnom23 CVEs the community has triaged.
- CVE-2022-26645CRIT 9.8Real · low riskEPSS 3%
A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.
- CVE-2022-26646CRIT 9.8Real · low riskEPSS 1%
Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter.
- CVE-2024-37857HIGH 8.8Real · low riskEPSS 1%
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via id parameter to php-lfis/admin/categories/view_category.php.
- CVE-2024-37858CRIT 9.8Real · low riskEPSS 1%
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.
- CVE-2023-36159MED 6.1EPSS 1%
Cross Site Scripting (XSS) vulnerability in sourcecodester Lost and Found Information System 1.0 allows remote attackers to run arbitrary code via the First Name, Middle Name and Last Name fields on the Create User page.
- CVE-2022-26644MED 6.1EPSS 1%
Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management.
- CVE-2023-36158MED 6.1EPSS 1%
Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Management System 1.0 allows remote attackers to run arbitrary code via the First Name and Last Name fields on the My Account page.
- CVE-2024-57523MED 4.5EPSS 0%
Cross Site Request Forgery (CSRF) in Users.php in SourceCodester Packers and Movers Management System 1.0 allows attackers to create unauthorized admin accounts via crafted requests sent to an authenticated admin user.
- CVE-2024-37859MED 6.1EPSS 0%
Cross Site Scripting vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the page parameter to php-lfis/admin/index.php.
- CVE-2023-33677HIGH 7.5Real · low riskEPSS 0%
Sourcecodester Lost and Found Information System's Version 1.0 is vulnerable to unauthenticated SQL Injection at "?page=items/view&id=*".
- CVE-2025-63891HIGH 7.5Real · low riskEPSS 0%
Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql.
- CVE-2024-37856MED 5.4EPSS 0%
Cross Site Scripting vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the first, last, middle name fields in the User Profile page.