Text Exploits
31,346 exploits tracked across all sources.
Business Live Chat Software 1.0 - CSRF
Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters.
by Meisam Monsef
CVSS 5.3
Comtrend Vr-3033 Firmware - OS Command Injection
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.
by Raki Ben Hamouda
CVSS 8.8
PhpIX 2012 Professional - SQL Injection
PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information.
by indoushka
CVSS 7.1
eLection 2.0 - Authenticated SQL Injection
eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory.
by J3rryBl4nks
CVSS 7.1
ATutor 2.2.4 - SQL Injection
ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.
by Andrey Stoykov
CVSS 7.1
AMSS++ 4.31 - SQL Injection
AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents.
by indoushka
CVSS 8.2
AMSS++ 4.7 - Auth Bypass
AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.
by indoushka
CVSS 7.5
DotNetNuke 9.5 - XSS
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.
by Sajjad Pourali
CVSS 6.4
GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
by emaragkos
CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)
by J3rryBl4nks
Real Web Pentesting Tutorial Step by Step - [Persian]
by Meisam Monsef
Zoho ManageEngine EventLog Analyzer <10.0 SP1 Build 12110 - Information Disclosure
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.
by Scott Goodwin
CVSS 8.8
SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure
by Todor Donev
I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure
by Todor Donev
IP Office App Server <11 - XSS
A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated.
by Scott Goodwin
CVSS 5.4
WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
by Ultra Security Team
TFTP Turbo 4.6.1273 - RCE
TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
by boku
CVSS 7.8
DHCP Turbo 4.61298 - RCE
DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts.
by boku
CVSS 7.8
BOOTP Turbo 2.0.1214 - Privilege Escalation
BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions.
by boku
CVSS 7.8
Microsoft Windows 10 1507 - Symlink Following
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0686.
by nu11secur1ty
CVSS 7.8
HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
by Roberto Piña
WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
by Ultra Security Team
WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting
by Shahab.ra.9
By Source