Html Exploits
2,054 exploits tracked across all sources.
Apple Safari < 10.0.3 - Memory Corruption
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted web site.
by Google Security Research
CVSS 8.1
Apple <10.3 - RCE
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
by Google Security Research
CVSS 8.8
Apple <10.3 - RCE
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
by Google Security Research
CVSS 8.8
Microsoft Internet Explorer - Information Disclosure
Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009.
by Google Security Research
CVSS 4.3
Debian Linux < 45.8.0 - Use After Free
A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
by Google Security Research
CVSS 9.8
Microsoft Edge - Use After Free
A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0010, CVE-2017-0015, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151.
by Google Security Research
CVSS 7.5
Apple Iphone OS < 9.3.5 - Out-of-Bounds Write
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
by qwertyoruiop
CVSS 8.8
WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery
by KoreLogic
SolarWinds FTP Voyager 16.2.0 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the scheduler, or (3) possibly execute arbitrary commands via crafted requests to Admin/XML/Result.xml.
by hyp3rlinx
CVSS 8.8
Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
by SEC Consult
Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
by SEC Consult
Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
by SEC Consult
Deluge <1.3.14 - CSRF
CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
by Kyle Neideck
CVSS 8.8
Supsystic Popup Plugin <1.7.6 - CSRF
A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
by Radjnies Bhansingh
CVSS 4.3
WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery
by Yorick Koster
WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery
by David Vaartjes
WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting
by Edwin Molenaar
WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting
by Edwin Molenaar
Netgear Dgn2200 Firmware < 10.0.0.50 - CSRF
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.
by SivertPL
CVSS 8.8
Netgear Dgn2200 Series Firmware < 10.0.0.50 - OS Command Injection
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.
by SivertPL
CVSS 8.8
Microsoft Edge - Type Confusion
Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
by Google Security Research
CVSS 8.1
Apple <10.2.1 - XSS
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "WebKit" component, which allows remote attackers to launch popups via a crafted web site.
by Google Security Research
CVSS 6.5
Apple <10.2.1, <10.0.3, <10.1.1 - SSRF
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
by Google Security Research
CVSS 6.5
Apple <10.2.1, <10.0.3, <10.1.1, <3.1.3 - CSRF
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
by Google Security Research
CVSS 6.5
Apple <10.12.3 - XSS
An issue was discovered in certain Apple products. macOS before 10.12.3 is affected. The issue involves the "Help Viewer" component, which allows XSS attacks via a crafted web site.
by Google Security Research
CVSS 6.1
By Source