Kostasmitroglou Thesystem vulnerabilities
4 known vulnerabilities affecting kostasmitroglou/thesystem.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2019-25441P1CRITICALCVSS 9.8v1.0.0v1.02026-02-20
CVE-2019-25441 [CRITICAL] CWE-78 CVE-2019-25441: thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to ex
thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.
nvd
CVE-2019-25347P3HIGHCVSS 7.5v1.02026-02-12
CVE-2019-25347 [HIGH] CWE-89 CVE-2019-25347: thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authenticat
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts.
nvd
CVE-2019-25346P3HIGHCVSS 7.5v1.02026-02-12
CVE-2019-25346 [HIGH] CWE-89 CVE-2019-25346: TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information.
nvd
CVE-2019-25311P4MEDIUMCVSS 5.4v1.0.0v1.02026-02-11
CVE-2019-25311 [MEDIUM] CWE-79 CVE-2019-25311: thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers
thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operating_system, system_owner, system_username, system_password, system_description, and server_name parameters to execute arbitrar
nvd