Html Exploits
2,053 exploits tracked across all sources.
PilusCart 1.4.1 - CSRF
PilusCart 1.4.1 is vulnerable to index.php?module=users&action=newUser CSRF, leading to the addition of a new user as administrator.
by Gionathan Reale
CVSS 8.8
Microsoft Chakracore < 1.11.5 - Out-of-Bounds Write
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0567, CVE-2019-0568.
by Fahad Aid Alharbi
CVSS 7.5
Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin)
by Mr Winst0n
Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin)
by Mr Winst0n
Zohocorp Manageengine Netflow Analyzer - XSS
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.
by Rafael Pedrero
CVSS 6.1
Zohocorp Manageengine Netflow Analyzer - XSS
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.
by Rafael Pedrero
CVSS 6.1
Zohocorp Manageengine Netflow Analyzer - XSS
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.
by Rafael Pedrero
CVSS 6.1
Zohocorp Manageengine Netflow Analyzer - Path Traversal
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.
by Rafael Pedrero
CVSS 4.3
Apachefriends Xampp < 5.6.8 - SQL Injection
XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued.
by Rafael Pedrero
CVSS 9.8
Apachefriends Xampp < 5.6.8 - XSS
XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued.
by Rafael Pedrero
CVSS 6.1
Zohocorp Manageengine Netflow Analyzer - XSS
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.
by Rafael Pedrero
CVSS 6.1
Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset
by Adithyan AK
Beward N100 H.264 VGA IP Camera M2.1.6 - CSRF
Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form.
by LiquidWorm
CVSS 5.3
ZyXEL VMG3312-B10B DSL-491HUNU-B1B v2 - CSRF
ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF.
by Yusuf Furkan
CVSS 8.8
AirTies Air5341 <1.0.0.12 - CSRF
AirTies Air5341 1.0.0.12 devices allow cgi-bin/login CSRF.
by Ali Can Gönüllü
CVSS 8.8
Zyxel Nbg-418n Firmware - CSRF
Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF.
by Ali Can Gönüllü
CVSS 8.8
Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length
by Bogdan Kurinnoy
Coship Rt3050 Firmware - Authentication Bypass
An issue was discovered on Shenzhen Coship RT3050 4.0.0.40, RT3052 4.0.0.48, RT7620 10.0.0.49, WM3300 5.0.0.54, and WM3300 5.0.0.55 devices. The password reset functionality of the router doesn't have backend validation for the current password and doesn't require any type of authentication. By making a POST request to the apply.cgi file of the router, the attacker can change the admin username and password of the router.
by Adithyan AK
CVSS 9.8
Hucart - CSRF
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.
by AllenChen
CVSS 8.8
Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory. Denial of Service (PoC)
by Bogdan Kurinnoy
Leica Geosystems GR10/GR25/GR30/GR50 4.30.063 - CSRF
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that submit requests to the application.
by LiquidWorm
CVSS 5.3
Leica Geosystems GR10/GR25/GR30/GR50 4.30.063 - XSS
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed.
by LiquidWorm
CVSS 7.2
Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference
by Bogdan Kurinnoy
Apple Safari < 12.0.2 - Memory Corruption
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.
by Google Security Research
CVSS 8.8
Microsoft Edge 42.17134.1.0 - 'Tree::ANode::DocumentLayout' Denial of Service
by Bogdan Kurinnoy
By Source