Exploitdb Exploits
31,346 exploits tracked across all sources.
Opmantek Open-audit - XSS
Open-AudIT 3.3.0 allows an XSS attack after login.
by Kamaljeet Kumar
CVSS 5.4
Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)
by Mehmet Kelepçe
Victor CMS 1.0 - XSS
Victor CMS 1.0 has Persistent XSS in admin/users.php?source=add_user via the user_name, user_firstname, or user_lastname parameter.
by Nitya Nand
CVSS 6.1
WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)
by SunCSR
Konica Minolta FTP Utility 1.0 - Buffer Overflow
Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the LIST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code.
by Socket_0x03
CVSS 9.8
Dolibarr 11.0.3 - XSS
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information.
by Mehmet Kelepçe
CVSS 6.4
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
by Matteo Malvica
CVSS 7.8
CloudMe 1.11.2 - RCE
CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a specially crafted payload to the CloudMe service running on port 8888, enabling remote code execution.
by Xenofon Vassilakopoulos
CVSS 9.8
PHPFusion 9.03.50 - XSS
PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers.
by coiffeur
CVSS 6.4
forma.lms 2.3.0.2 - CSRF
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
by Daniel Ortiz
CVSS 8.8
Composr CMS 10.0.30 - Persistent Cross-Site Scripting
by Manuel García Cárdenas
Open edX Ironwood 2.5 - RCE
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
by Daniel Monzón
CVSS 8.8
Victor CMS 1.0 - Authenticated RCE
Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with a 'cmd' parameter.
by Kishan Lal Choudhary
CVSS 8.8
Victor CMS 1.0 - XSS
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.
by Kishan Lal Choudhary
CVSS 7.2
PHP-Fusion 9.03.50 - SQL Injection
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
by SunCSR
CVSS 7.2
NukeViet 4.4 - CSRF
modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.
by JEBARAJ
CVSS 6.5
NukeViet 4.4 - CSRF
modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.
by JEBARAJ
CVSS 6.5
NukeViet 4.4 - CSRF
clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.
by JEBARAJ
CVSS 8.8
Submitty <20.04.01 - XSS
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.
by humblelad
CVSS 5.4
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting
by Kishan Lal Choudhary
Forma.lms The E-Learning Suite 2.3.0.2 - XSS
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.
by Daniel Ortiz
CVSS 6.4
Monstra CMS 3.0.4 - Code Injection
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
by Kishan Lal Choudhary
CVSS 8.8
WordPress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
by Nguyen Khang
By Source