Phpgurukul Tourism Management System vulnerabilities

CVE-2025-13247 [MEDIUM] CWE-74 CVE-2025-13247: A security flaw has been discovered in PHPGurukul Tourism Management System 1.0. The affected elemen A security flaw has been discovered in PHPGurukul Tourism Management System 1.0. The affected element is an unknown function of the file /admin/user-bookings.php. The manipulation of the argument uid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

CVE-2024-41333 [MEDIUM] CWE-79 CVE-2024-41333: A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 al A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter.

CVE-2024-32256 [HIGH] CWE-434 CVE-2024-32256: Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerou Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are uploaded from the image.

CVE-2024-32254 [HIGH] CWE-434 CVE-2024-32254: Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerou Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via tms/admin/create-package.php. When creating a new package, there is no checks for what types of files are uploaded from the image.

CVE-2024-1822 [LOW] CWE-79 CVE-2024-1822: A vulnerability classified as problematic has been found in PHPGurukul Tourism Management System 1.0 A vulnerability classified as problematic has been found in PHPGurukul Tourism Management System 1.0. Affected is an unknown function of the file user-bookings.php. The manipulation of the argument Full Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-254610

CVE-2022-30930 [MEDIUM] CWE-352 CVE-2022-30930: Tourism Management System Version: V 3.2 is affected by: Cross Site Request Forgery (CSRF). Tourism Management System Version: V 3.2 is affected by: Cross Site Request Forgery (CSRF).

CVE-2020-28136 [HIGH] CWE-434 CVE-2020-28136: An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the us An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the user to conduct remote code execution via admin/create-package.php vulnerable page.