Text Exploits
31,386 exploits tracked across all sources.
Online Course Registration 2.0 - Remote Code Execution
by Metin Yunus Kandemir
Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection
by Hakan TAŞKÖPRÜ
BloodX 1.0 - Unauthenticated Authentication Bypass via Crafted Payload in login.php
BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access.
by riamloo
CVSS 6.5
PHPGurukul Hospital Management System 4.0 - Stored Cross-Site Scripting
PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple Persistent XSS vulnerabilities.
by FULLSHADE
CVSS 6.1
PHPGurukul Hospital Management System 4.0 - SQL Injection
PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user input, and allow for the application's database and information to be fully compromised.
by FULLSHADE
CVSS 8.8
IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal
by Raif Berkay Dincel
NextVPN 4.10 - Privilege Escalation
NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious files to gain SYSTEM or Administrator privileges through unauthorized file modification.
by SajjadBnd
CVSS 7.8
Thrive Smart Home 1.1 - SQL Injection
Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application.
by LiquidWorm
CVSS 8.2
RICOH Web Image Monitor 1.09 - HTML Injection via Address Configuration CGI Script
RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script that allows attackers to inject malicious HTML code. Attackers can exploit the entryNameIn and entryDisplayNameIn parameters to insert arbitrary HTML content, potentially enabling cross-site scripting attacks.
by Ismail Tasdelen
CVSS 6.1
Heatmiser Netmonitor 3.03 - HTML Injection via outputtitle Parameter
Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and potentially manipulate the web interface's displayed content.
by Ismail Tasdelen
CVSS 6.1
Heatmiser Netmonitor 3.03 - Hardcoded Credentials
Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.
by Ismail Tasdelen
CVSS 7.5
E Learning Script 1.0 - Auth Bypass
E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain unauthorized access to the system.
by riamloo
CVSS 6.5
HomeAutomation 3.3.2 - Authentication Bypass via X-Forwarded-For Header Spoofing
HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution.
by LiquidWorm
CVSS 9.8
HomeAutomation 3.3.2 - Authenticated OS Command Injection via Custom Command Plugin
HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function.
by LiquidWorm
CVSS 8.0
AVE DOMINAplus <=1.10.x - Unauthenticated Denial of Service via Reboot Command Execution
AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
by LiquidWorm
CVSS 7.5
AVE DOMINAplus <=1.10.x - Unauthenticated Credential Disclosure via /xml/authClients.xml
AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack.
by LiquidWorm
CVSS 9.8
AVE DOMINAplus <= 1.10.x - Unauthenticated Authentication Bypass via changeparams.php autologin Parameter
AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
by LiquidWorm
CVSS 9.8
MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Unauthenticated Information Disclosure
Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.
by LiquidWorm
CVSS 7.5
HomeAutomation 3.3.2 - Cross-Site Request Forgery
HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
by LiquidWorm
CVSS 8.8
HomeAutomation 3.3.2 - Stored Cross-Site Scripting via Input Parameter
HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting (XSS). XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session.
by LiquidWorm
CVSS 6.1
Wing FTP Server 6.0.7 - Privilege Escalation
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
by Nawaf Alkeraithe
CVSS 7.8
AVE DOMINAplus 1.10.x - Cross-Site Request Forgery and Cross-Site Scripting via login.php
AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.
by LiquidWorm
CVSS 5.3
XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin)
by Ismail Tasdelen
XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin)
by Ismail Tasdelen
By Source