Text Exploits
31,386 exploits tracked across all sources.
Alkacon OpenCms Apollo Template 10.5.4-10.5.5 - Cross-Site Scripting in Login Form
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.
by Aetsu
CVSS 6.1
YouPHPTube < 7.4 - Unauthenticated Arbitrary File Write via checkConfiguration.php
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code.
by Damian Ebelties
CVSS 9.8
WebAppick WooCommerce Product Feed <2.2.18 - XSS
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
by Damian Ebelties
CVSS 5.4
Sentrifugo 3.2 - Authenticated Stored Cross-Site Scripting
Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow authenticated users to inject arbitrary web script or HTML.
by creosote
CVSS 5.4
Sentrifugo 3.2 - Authenticated Arbitrary File Upload via Restriction Bypass
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
by creosote
CVSS 8.8
DomainMOD < 4.13.0 - Cross-Site Scripting via daterange Parameter
In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.
by Damian Ebelties
CVSS 6.1
Canon PRINT 2.5.5 - Unauthenticated Sensitive Information Exposure via ContentProvider
The ContentProvider in the Canon PRINT jp.co.canon.bsd.ad.pixmaprint 2.5.5 application for Android does not properly restrict canon.ij.printer.capability.data data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for the administrator web interface and WPA2-PSK key.
by 0x48piraj
CVSS 5.5
Kartatopia PilusCart <1.4.1 - Info Disclosure
In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.
by Damian Ebelties
CVSS 7.5
iCloud < 7.13 - Memory Corruption via Malicious Web Content
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution.
by Google Security Research
CVSS 8.8
Jobberbase 2.0 - SQL Injection via PATH_INFO to Jobs-In Endpoint
Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint.
by Suvadip Kar
CVSS 9.8
SQLiteManager 1.20 and 1.24 - SQL Injection via dbsel Parameter
SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitemanager/main.php dbsel parameter. NOTE: This product is discontinued.
by Rafael Pedrero
CVSS 9.8
LISTSERV < 16.5-2018a - Reflected Cross-Site Scripting via OK Parameter
Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.
by MTK
CVSS 6.1
Windows 10 and Windows Server 2016/2019 - Privilege Escalation via Reparse Point Creation
An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.
To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
The security update addresses the vulnerability by preventing sandboxed processes from creating reparse points targeting inaccessible files.
by Google Security Research
CVSS 7.9
cosenary Instagram-PHP-API <4.9.32 - XSS
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.
by Damian Ebelties
CVSS 6.1
Webtoffee WordPress Users & WooCommerce Customers Import Export <1....
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
by Javier Olmedo
CVSS 7.3
Nimble Streamer 3.0.2-2-3.5.4-9 - Path Traversal
Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
by MaYaSeVeN
CVSS 6.5
Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities
by Pedro Ribeiro
Kimai < 1.1 - Stored Cross-Site Scripting via Timesheet Description
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.
by osamaalaa
CVSS 6.4
YouPHPTube < 7.2 - SQL Injection in AuditTable.php
plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.
by Fabian Mosch
CVSS 5.3
UltimateKode Neo Billing <3.5 - XSS
Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML.
by n1x_
CVSS 5.4
Joomla com_jsjobs 1.2.6 Arbitrary File Deletion
Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field_2 parameter to delete arbitrary files accessible to the web server.
by qw3rTyTy
CVSS 6.5
GetGo Download Manager 6.2.2.3300 - Buffer Overflow
GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP responses with excessively long headers. Attackers can craft malicious HTTP responses with oversized header values to crash the application and make it unavailable.
by Malav Vyas
CVSS 7.5
Web Wiz Forums 12.01 - SQL Injection
Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database information.
by n1x_
CVSS 7.5
Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities
by Google Security Research
By Source