Text Exploits
31,346 exploits tracked across all sources.
Windscribe <v1.83 Build 20 - Privilege Escalation
In Windscribe v1.83 Build 20, 'WindscribeService' has an Unquoted Service Path that facilitates privilege escalation.
by MgThuraMoeMyint
CVSS 7.8
Django 3.0 - Cross-Site Request Forgery Token Bypass
by Spad Security Group
PHP-Fusion 9.03.50 - XSS
PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site.
by hyp3rlinx
CVSS 6.1
ZOC Terminal 7.25.5 - DoS
ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files.
by chuyreds
CVSS 7.5
Memu Play 7.1.3 - Privilege Escalation
Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions.
by chuyreds
CVSS 9.8
Limesurvey < 4.1.11 - XSS
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).
by Matthew Aberegg
CVSS 5.4
Limesurvey < 4.1.11 - Path Traversal
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
by Matthew Aberegg
CVSS 9.8
WhatsApp Desktop <0.3.9309 - XSS
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
by Gal Weizman
CVSS 8.2
Netgate Pfsense < 2.4.5 - XSS
pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.
by Matthew Aberegg
CVSS 5.4
PHP-Fusion 9.03.50 - RCE
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code.
by Unkn0wn
CVSS 6.1
Microsoft Windows 10 1903 - Memory Corruption
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
by Daniel García Gutiérrez
CVSS 10.0
ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)
by Mustafa Emre Gül
Avast SecureLine 5.5.522.0 - Code Injection
Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
by Roberto Piña
CVSS 7.8
10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
by Felipe Winsnes
LeptonCMS 4.5.0 - XSS
An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.
by SunCSR
CVSS 6.1
Veyon Service <4.4.2 - Privilege Escalation
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.
by Víctor García
CVSS 8.0
Wpforms Contact Form < 1.5.9 - XSS
A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress.
by Jinson Varghese Behanan
CVSS 5.4
UliCMS <2020.2 - XSS
UliCMS before 2020.2 has PageController stored XSS.
by SunCSR
CVSS 6.1
FIBARO System Home Center 5.021 - RCE
FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content.
by LiquidWorm
CVSS 7.5
Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)
by Cem Onat Karagun
By Source