Text Exploits
31,386 exploits tracked across all sources.
Avaya IP Office 9.x, 10.0-10.1.0.7, 11.0-11.0.4.3 - Insufficiently Protected Credentials
A sensitive information disclosure vulnerability was discovered in the web interface component of IP Office that may potentially allow a local user to gain unauthorized access to the component. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 though 11.0.4.3.
by hyp3rlinx
CVSS 5.5
Sistem Informasi Pengumuman Kelulusan Online 1.0 - CSRF
Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent.
by Extinction
CVSS 5.3
WinGate 9.4.1.5998 - Incorrect Permission Assignment for Critical Resource
WinGate v9.4.1.5998 has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse.
by hyp3rlinx
CVSS 7.8
Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection
by Mehmet Kelepçe
Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection
by Kostadin Tonev
Kyocera Printer d-COPIA253MF - Path Traversal
A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.
by Hakan Eren ŞAN
CVSS 7.5
Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
by Pankaj Kumar Thakur
IObit Uninstaller 9.5.0.15 Unquoted Service Path Privilege Escalation
IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can place a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory and restart the service to execute code with SYSTEM privileges.
by Gobinathan
CVSS 7.8
Navigate CMS 2.8.7 - Cross-Site Request Forgery via Extension Upload
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
by Gus Ralph
CVSS 4.3
PHPGurukul Hostel Mgt Sys <2.0 - SQL Injection
PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.
by Enesdex
CVSS 9.8
SnapGear Management Console SG560 3.1.5 - Privilege Escalation
SnapGear Management Console SG560 3.1.5 contains a file manipulation vulnerability that allows authenticated users to read, write, and delete files using the edit_config_files CGI script. Attackers can manipulate POST request parameters in /cgi-bin/cgix/edit_config_files to access and modify files outside the intended /etc/config/ directory.
by LiquidWorm
CVSS 6.5
SnapGear Management Console SG560 3.1.5 - CSRF
SnapGear Management Console SG560 version 3.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft a malicious web page that automatically submits a form to create a new super user account with full administrative privileges when a logged-in user visits the page.
by LiquidWorm
CVSS 5.3
Clinic Management System 1.0 - Unauthenticated Remote Code Execution
by BKpatron
Clinic Management System 1.0 - Authenticated Arbitrary File Upload
by BKpatron
Cayin Digital Signage System xPost 2.5 - Remote Command Injection
by LiquidWorm
Cayin Content Management Server 11.0 - Remote Command Injection (root)
by LiquidWorm
D-Link DIR-615 T1 20.10 - Unauthenticated CAPTCHA Bypass via Login Page
The login page on D-Link DIR-615 T1 20.10 devices allows remote attackers to bypass the CAPTCHA protection mechanism and conduct brute-force attacks.
by huzaifa hussain
CVSS 8.8
OpenCart 3.0.3.2 - Authenticated Stored Cross-Site Scripting via Image Upload Filename
OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section.
by Kailash Bohara
CVSS 5.4
VMware vCenter Server vmdir Information Disclosure
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
by Photubias
CVSS 9.8
WordPress Multi-Scheduler <1.0.0 - CSRF
The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known.
by UnD3sc0n0c1d0
CVSS 6.5
By Source