Exploitdb Exploits
2,009 exploits tracked across all sources.
Thunderbird <45.7, Firefox ESR <45.7, Firefox <51 - Memory Corruption
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
by Rh0
CVSS 9.8
Thunderbird <45.7, Firefox ESR <45.7, Firefox <51 - Memory Corruption
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
by Rh0
CVSS 9.8
Bravo Tejari Procurement Portal - Authenticated Cross-Site Request Forgery in Profile Data Update
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.
by Arvind V
CVSS 8.0
Internet Explorer - Remote Code Execution via Scripting Engine Memory Corruption
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, and CVE-2018-0861.
by Google Security Research
CVSS 7.5
FrontAccounting 2.4.3 - Cross-Site Request Forgery via User Permissions Page
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
by Samrat Das
CVSS 8.8
Advantech WebAccess 8.3.0 - Remote Code Execution via VBWinExec Command Parameter
The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka the command parameter).
by Nassim Asrir
CVSS 9.8
Typesetter - Cross-Site Request Forgery
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
by Navina Asrani
CVSS 8.0
Zh YandexMap 6.2.1.0 - SQL Injection via id Parameter
SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request.
by Ihsan Sencan
CVSS 9.8
JEXTN Membership 3.1.0 - SQL Injection via usr_plan Parameter
SQL Injection exists in the JEXTN Membership 3.1.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.
by Ihsan Sencan
CVSS 9.8
je_paypervideo 3.0.0 - SQL Injection via usr_plan Parameter
SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.
by Ihsan Sencan
CVSS 9.8
WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free
by Google Security Research
Apple tvOS < 11.2.5 - Remote Code Execution via WebKit Memory Corruption
An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. Safari before 11.0.3 is affected. tvOS before 11.2.5 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
by Google Security Research
CVSS 8.8
Netis WF2419 V2.2.36123 - Cross-Site Request Forgery
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
by Sajibe Kanti
CVSS 8.8
JS Support Ticket 1.1.0 - Cross-Site Request Forgery
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
by Ihsan Sencan
CVSS 8.8
KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery via Missing x-csrf-token Header
KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.
by Saurabh Banawar
CVSS 8.8
Rapid7 Nexpose < 6.4.66 - Cross-Site Request Forgery in Automated Actions
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
by Shwetabh Vishnoi
CVSS 8.8
DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extender RTN2-AW.GD.R3465.1.20161103 - Cross-Site Request Forgery
An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc.
by Raffaele Sabato
CVSS 8.8
Electron < 1.7.11 - Remote Code Execution via Protocol Handler
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
by Wflki
CVSS 8.8
Email Subscribers & Newsletters <3.4.8 - Info Disclosure
An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data.
by ThreatPress Security
CVSS 7.5
RSVP Invitation Online 1.0 - Cross-Site Request Forgery via account.php
Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.
by Ihsan Sencan
CVSS 8.8
Photography CMS 1.0 - Cross-Site Request Forgery via ajax_new_admin.php
Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.
by Ihsan Sencan
CVSS 8.8
Vanilla Forums < 2.1.5 - Cross-Site Request Forgery Leading to Topic and Comment Deletion
Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access
by Anand Meyyappan
CVSS 8.0
Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges.
by LiquidWorm
CVSS 4.3
By Source