Text Exploits
31,386 exploits tracked across all sources.
Media File Manager 1.4.2 - Cross-Site Scripting via dir Parameter in mrelocator_getdir Action
The Media File Manager plugin 1.4.2 for WordPress allows XSS via the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI.
by Pasquale Turi
CVSS 6.1
Media File Manager 1.4.2 - Directory Listing via Path Traversal in dir Parameter
The Media File Manager plugin 1.4.2 for WordPress allows directory listing via a ../ directory traversal in the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI.
by Pasquale Turi
CVSS 5.3
D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery
by hyp3rlinx
PlayJoom 0.10.1 - Unauthenticated SQL Injection via catid Parameter
PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with option=com_playjoom&view=genre&catid=[SQL] to extract sensitive database information including usernames, databases, and version details.
by Ihsan Sencan
CVSS 8.2
OpenSLP 2.0 - Buffer Overflow in SLPFoldWhiteSpace
Buffer overflow in the SLPFoldWhiteSpace function in common/slp_compare.c in OpenSLP 2.0 allows remote attackers to have unspecified impact via a crafted string.
by Magnus Klaaborg Stubman
CVSS 9.8
OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter
OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract sensitive database information or bypass authentication.
by AkkuS
CVSS 8.2
OOP CMS BLOG 1.0 - Unauthenticated Cross-Site Request Forgery via addUser.php
OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role set to administrative privileges to gain unauthorized access.
by Ihsan Sencan
CVSS 5.3
OOP CMS BLOG 1.0 - Unauthenticated SQL Injection via Search Parameter
OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inject SQL commands via the search parameter in search.php, pageid parameter in page.php, and id parameter in posts.php to extract database information including table names, schema names, and database credentials.
by Ihsan Sencan
CVSS 8.2
LibreHealth 2.0.0 - (Authenticated) Arbitrary File Actions
by Carlos Avila
Grocery crud 1.6.1 - 'search_field' SQL Injection
by Loading Kura Kura
iPhone OS < 12.1 - Memory Corruption via Improved Input Validation
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.
by Google Security Research
CVSS 7.5
iPhone OS < 12.1 - Memory Corruption via Improved Input Validation
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.
by Google Security Research
CVSS 9.8
libiec61850 1.3 - Stack-based Buffer Overflow in prepareGooseBuffer
An issue has been found in libIEC61850 v1.3. It is a stack-based buffer overflow in prepareGooseBuffer in goose/goose_publisher.c.
by Dhiraj Mishra
CVSS 9.8
iPhone OS < 12.1 and watchOS < 5.1 - Memory Corruption
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1, watchOS 5.1.
by Google Security Research
CVSS 7.8
Microsoft Internet Explorer 11 - Null Pointer Dereference
by LiquidWorm
Voovi Social Networking Script 1.0 - 'user' SQL Injection
by Ihsan Sencan
Poppy Web Interface Generator 0.8 - Arbitrary File Upload
by Ihsan Sencan
Yot CMS 3.3.1 - SQL Injection via aid and cid Parameters
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names.
by Ihsan Sencan
CVSS 8.2
Gate Pass Management System 2.1 SQL Injection via login-exec.php
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application.
by Ihsan Sencan
CVSS 8.2
qdPM 9.1 SQL Injection via filter_by Parameters
qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
by AkkuS
CVSS 8.2
Anviz AIM CrossChex Standard 4.3.6.0 - Code Injection
Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data.
by LiquidWorm
CVSS 9.8
By Source