Text Exploits
31,386 exploits tracked across all sources.
Open STA Manager 2.3 Arbitrary File Download via Path Traversal
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files.
by Ihsan Sencan
CVSS 6.5
AiOPMSD Final 1.0.0 SQL Injection via watch.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via genre.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via year.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via quality.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality parameter to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via country.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via director Parameter
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the director parameter to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via actor.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor parameter to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
AiOPMSD Final 1.0.0 SQL Injection via search.php
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
by Ihsan Sencan
CVSS 8.2
Delta Sql 1.8.2 Arbitrary File Upload via docs_upload.php
Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution.
by Ihsan Sencan
CVSS 9.8
PhpTpoint Pharmacy Management System - SQL Injection via index.php Username Parameter
PhpTpoint Pharmacy Management System suffers from a SQL injection vulnerability in the index.php username parameter.
by Boumediene KADDOUR
CVSS 9.8
Adult Filter 1.0 - Buffer Overflow via Black Domain List File
Adult Filter 1.0 has a Buffer Overflow via a crafted Black Domain List file.
by AkkuS
CVSS 7.8
ARDAWAN.COM User Management 1.1 - Stored Cross-Site Scripting via Upload Filename
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
by Ismail Tasdelen
CVSS 5.4
ProjeQtOr < 7.2.5 - Remote Code Execution via Image Upload Feature
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
by AkkuS
CVSS 8.8
phptpoint Hospital Management System 1.0 - 'user' SQL injection
by Boumediene KADDOUR
Ekushey Project Manager CRM 3.1 - Stored Cross-Site Scripting via Client Name Parameter
In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
by Ismail Tasdelen
CVSS 5.4
AjentiCP < 1.2.23.13 - Cross-Site Scripting via File Manager Filename
ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager.
by Numan OZDEMIR
CVSS 6.1
xorg-x11-server <1.20.3 - Privilege Escalation
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.
by Hacker Fantastic
CVSS 6.6
Adult Filter 1.0 - Denial of Service (PoC)
by Beren Kuday GÖRÜN
By Source