Refine your search
12 vulnerabilities found for by Creativeitem
CVE-2023-53876 (GCVE-0-2023-53876)
Vulnerability from cvelistv5
Published
2025-12-15 20:28
Modified
2026-04-07 14:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Academy LMS |
Version: 6.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53876",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T21:40:37.644908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T21:47:45.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51702"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Academy LMS",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "6.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:creativeitem:academy_lms:6.1:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CraCkEr"
}
],
"datePublic": "2023-09-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:07:02.883Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51702",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51702"
},
{
"name": "Academy LMS Product Webpage",
"tags": [
"technical-description"
],
"url": "https://academylms.net/"
},
{
"name": "VulnCheck Advisory: Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/academy-lms-arbitrary-file-upload-vulnerability-via-profile-settings"
}
],
"title": "Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53876",
"datePublished": "2025-12-15T20:28:17.234Z",
"dateReserved": "2025-12-13T14:25:04.999Z",
"dateUpdated": "2026-04-07T14:07:02.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40992 (GCVE-0-2025-40992)
Vulnerability from cvelistv5
Published
2025-10-02 10:50
Modified
2025-10-02 15:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint '/sociopro/profile/update_profile', affecting to 'name' parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her cookie session details.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Sociopro |
Version: all versions |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:16:36.850988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:52:59.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sociopro",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint \u0027/sociopro/profile/update_profile\u0027, affecting to \u0027name\u0027 parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"value": "Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint \u0027/sociopro/profile/update_profile\u0027, affecting to \u0027name\u0027 parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:50:54.123Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Creativeitem Sociopro",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-40992",
"datePublished": "2025-10-02T10:50:54.123Z",
"dateReserved": "2025-04-16T09:08:37.856Z",
"dateUpdated": "2025-10-02T15:52:59.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40991 (GCVE-0-2025-40991)
Vulnerability from cvelistv5
Published
2025-10-02 10:45
Modified
2025-10-02 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_file/upload/xxxx", affecting to "description" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Ekushey CRM |
Version: 5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:16:42.847769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:53:10.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ekushey CRM",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the \"/ekushey/index.php/client/project_file/upload/xxxx\", affecting to \"description\" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"value": "Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the \"/ekushey/index.php/client/project_file/upload/xxxx\", affecting to \"description\" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:45:42.885Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Creativeitem Ekushey CRM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-40991",
"datePublished": "2025-10-02T10:45:42.885Z",
"dateReserved": "2025-04-16T09:08:37.856Z",
"dateUpdated": "2025-10-02T15:53:10.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40990 (GCVE-0-2025-40990)
Vulnerability from cvelistv5
Published
2025-10-02 10:42
Modified
2025-10-02 14:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_bug/create/xxx", affecting to "title" and "description" parameters via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Ekushey CRM |
Version: 5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T14:07:14.809609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T14:07:46.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ekushey CRM",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the \"/ekushey/index.php/client/project_bug/create/xxx\", affecting to \"title\" and \"description\" parameters via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"value": "Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the \"/ekushey/index.php/client/project_bug/create/xxx\", affecting to \"title\" and \"description\" parameters via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:42:05.027Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Creativeitem Ekushey CRM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-40990",
"datePublished": "2025-10-02T10:42:05.027Z",
"dateReserved": "2025-04-16T09:08:37.856Z",
"dateUpdated": "2025-10-02T14:07:46.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40989 (GCVE-0-2025-40989)
Vulnerability from cvelistv5
Published
2025-10-02 10:40
Modified
2025-10-02 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_message/add/xxx", affecting to "message" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Ekushey CRM |
Version: 5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T14:08:55.265731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T14:09:15.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ekushey CRM",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the \"/ekushey/index.php/client/project_message/add/xxx\", affecting to \"message\" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"value": "Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the \"/ekushey/index.php/client/project_message/add/xxx\", affecting to \"message\" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:40:03.790Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Creativeitem Ekushey CRM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-40989",
"datePublished": "2025-10-02T10:40:03.790Z",
"dateReserved": "2025-04-16T09:08:37.856Z",
"dateUpdated": "2025-10-02T14:09:15.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27264 (GCVE-0-2025-27264)
Vulnerability from cvelistv5
Published
2025-03-03 13:30
Modified
2026-04-28 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows PHP Local File Inclusion.This issue affects Doctor Appointment Booking: from n/a through <= 1.0.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Doctor Appointment Booking |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T15:22:59.300453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T15:23:08.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "doctor-appointment-booking",
"product": "Doctor Appointment Booking",
"vendor": "Creativeitem",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:34.291Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Doctor Appointment Booking: from n/a through \u003c= 1.0.0.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows PHP Local File Inclusion.This issue affects Doctor Appointment Booking: from n/a through \u003c= 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:46.692Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/doctor-appointment-booking/vulnerability/wordpress-doctor-appointment-booking-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Doctor Appointment Booking Plugin \u003c= 1.0.0 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-27264",
"datePublished": "2025-03-03T13:30:29.638Z",
"dateReserved": "2025-02-21T16:44:52.127Z",
"dateUpdated": "2026-04-28T16:11:46.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27263 (GCVE-0-2025-27263)
Vulnerability from cvelistv5
Published
2025-03-03 13:30
Modified
2026-04-28 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows SQL Injection.This issue affects Doctor Appointment Booking: from n/a through <= 1.0.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Doctor Appointment Booking |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T15:33:47.581771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T15:34:00.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "doctor-appointment-booking",
"product": "Doctor Appointment Booking",
"vendor": "Creativeitem",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:34.029Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows SQL Injection.\u003cp\u003eThis issue affects Doctor Appointment Booking: from n/a through \u003c= 1.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows SQL Injection.This issue affects Doctor Appointment Booking: from n/a through \u003c= 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:46.671Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/doctor-appointment-booking/vulnerability/wordpress-doctor-appointment-booking-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Doctor Appointment Booking Plugin \u003c= 1.0.0 - SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-27263",
"datePublished": "2025-03-03T13:30:29.450Z",
"dateReserved": "2025-02-21T16:44:52.127Z",
"dateUpdated": "2026-04-28T16:11:46.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3756 (GCVE-0-2023-3756)
Vulnerability from cvelistv5
Published
2023-07-19 04:00
Modified
2024-10-21 15:04
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting
Summary
A vulnerability was found in Creativeitem Atlas Business Directory Listing 2.13 and classified as problematic. Affected by this issue is some unknown functionality of the file /home/search. The manipulation of the argument search_string leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-234428. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Atlas Business Directory Listing |
Version: 2.13 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:48.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.234428"
},
{
"tags": [
"signature",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.234428"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T15:03:43.679949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T15:04:50.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Atlas Business Directory Listing",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "2.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Creativeitem Atlas Business Directory Listing 2.13 and classified as problematic. Affected by this issue is some unknown functionality of the file /home/search. The manipulation of the argument search_string leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-234428. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Creativeitem Atlas Business Directory Listing 2.13 gefunden. Sie wurde als problematisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei /home/search. Durch das Manipulieren des Arguments search_string mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T17:30:18.624Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.234428"
},
{
"tags": [
"signature"
],
"url": "https://vuldb.com/?ctiid.234428"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-07-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-08-09T14:22:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "Creativeitem Atlas Business Directory Listing search cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-3756",
"datePublished": "2023-07-19T04:00:04.066Z",
"dateReserved": "2023-07-18T16:36:35.775Z",
"dateUpdated": "2024-10-21T15:04:50.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3755 (GCVE-0-2023-3755)
Vulnerability from cvelistv5
Published
2023-07-19 03:31
Modified
2024-08-02 07:08
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting
Summary
A vulnerability has been found in Creativeitem Atlas Business Directory Listing 2.13 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /home/filter_listings. The manipulation of the argument price-range leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-234427. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Atlas Business Directory Listing |
Version: 2.13 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.234427"
},
{
"tags": [
"signature",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.234427"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Atlas Business Directory Listing",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Creativeitem Atlas Business Directory Listing 2.13 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /home/filter_listings. The manipulation of the argument price-range leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-234427. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Creativeitem Atlas Business Directory Listing 2.13 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /home/filter_listings. Mittels Manipulieren des Arguments price-range mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T17:29:05.440Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.234427"
},
{
"tags": [
"signature"
],
"url": "https://vuldb.com/?ctiid.234427"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-07-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-08-09T14:19:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "Creativeitem Atlas Business Directory Listing filter_listings cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-3755",
"datePublished": "2023-07-19T03:31:03.904Z",
"dateReserved": "2023-07-18T16:36:33.003Z",
"dateUpdated": "2024-08-02T07:08:50.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3754 (GCVE-0-2023-3754)
Vulnerability from cvelistv5
Published
2023-07-19 03:00
Modified
2024-08-02 07:08
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting
Summary
A vulnerability, which was classified as problematic, was found in Creativeitem Ekushey Project Manager CRM 5.0. Affected is an unknown function of the file /index.php/client/message/message_read/xxxxxxxx[random-msg-hash]. The manipulation of the argument message leads to cross site scripting. It is possible to launch the attack remotely. VDB-234426 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Ekushey Project Manager CRM |
Version: 5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:48.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.234426"
},
{
"tags": [
"signature",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.234426"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ekushey Project Manager CRM",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in Creativeitem Ekushey Project Manager CRM 5.0. Affected is an unknown function of the file /index.php/client/message/message_read/xxxxxxxx[random-msg-hash]. The manipulation of the argument message leads to cross site scripting. It is possible to launch the attack remotely. VDB-234426 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Creativeitem Ekushey Project Manager CRM 5.0 gefunden. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei /index.php/client/message/message_read/xxxxxxxx[random-msg-hash]. Mittels dem Manipulieren des Arguments message mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T15:38:07.996Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.234426"
},
{
"tags": [
"signature"
],
"url": "https://vuldb.com/?ctiid.234426"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-07-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-08-09T14:15:53.000Z",
"value": "VulDB entry last update"
}
],
"title": "Creativeitem Ekushey Project Manager CRM xxxxxxxx[random-msg-hash] cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-3754",
"datePublished": "2023-07-19T03:00:05.454Z",
"dateReserved": "2023-07-18T16:33:53.860Z",
"dateUpdated": "2024-08-02T07:08:48.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3753 (GCVE-0-2023-3753)
Vulnerability from cvelistv5
Published
2023-07-19 02:00
Modified
2024-10-21 15:04
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting
Summary
A vulnerability classified as problematic has been found in Creativeitem Mastery LMS 1.2. This affects an unknown part of the file /browse. The manipulation of the argument search/featured/recommended/skill leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-234423. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Mastery LMS |
Version: 1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.234423"
},
{
"tags": [
"signature",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.234423"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T15:03:48.819997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T15:04:28.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mastery LMS",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in Creativeitem Mastery LMS 1.2. This affects an unknown part of the file /browse. The manipulation of the argument search/featured/recommended/skill leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-234423. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Creativeitem Mastery LMS 1.2 entdeckt. Sie wurde als problematisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /browse. Mit der Manipulation des Arguments search/featured/recommended/skill mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T15:36:54.821Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.234423"
},
{
"tags": [
"signature"
],
"url": "https://vuldb.com/?ctiid.234423"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-07-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-08-09T14:07:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "Creativeitem Mastery LMS browse cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-3753",
"datePublished": "2023-07-19T02:00:06.762Z",
"dateReserved": "2023-07-18T16:27:55.298Z",
"dateUpdated": "2024-10-21T15:04:28.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3752 (GCVE-0-2023-3752)
Vulnerability from cvelistv5
Published
2023-07-19 01:31
Modified
2024-08-02 07:01
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting
Summary
A vulnerability was found in Creativeitem Academy LMS 5.15. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /home/courses. The manipulation of the argument sort_by leads to cross site scripting. The attack may be launched remotely. VDB-234422 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Creativeitem | Academy LMS |
Version: 5.15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.234422"
},
{
"tags": [
"signature",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.234422"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Academy LMS",
"vendor": "Creativeitem",
"versions": [
{
"status": "affected",
"version": "5.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Creativeitem Academy LMS 5.15. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /home/courses. The manipulation of the argument sort_by leads to cross site scripting. The attack may be launched remotely. VDB-234422 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in Creativeitem Academy LMS 5.15 ausgemacht. Dies betrifft einen unbekannten Teil der Datei /home/courses. Dank Manipulation des Arguments sort_by mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T15:35:41.493Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.234422"
},
{
"tags": [
"signature"
],
"url": "https://vuldb.com/?ctiid.234422"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-07-18T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-07-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-08-09T13:59:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "Creativeitem Academy LMS courses cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-3752",
"datePublished": "2023-07-19T01:31:03.400Z",
"dateReserved": "2023-07-18T16:25:59.245Z",
"dateUpdated": "2024-08-02T07:01:57.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}