Exploitdb Exploits
31,368 exploits tracked across all sources.
Brynamics - Information Disclosure
Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for the /dashboard/deposit URI, as demonstrated by discovering database credentials.
by L0RD
CVSS 9.8
Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection
by hyp3rlinx
Hycus Cms - Authentication Bypass
Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credentials.
by Berk Dusunur
CVSS 9.8
DIGISOL DG-HR3400 - XSS
DIGISOL DG-HR3400 devices have XSS via a modified SSID when the apssid value is unchanged.
by Adipta Basu
CVSS 6.1
Hongcms - SQL Injection
An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. There is a SQL Injection vulnerability via an admin/index.php/database/operate?dbaction=emptytable&tablename= URI.
by Hzllaga
CVSS 7.2
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion
by VulnSpy
PoDoFo 0.9.5 - DoS
In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may result in stack overflow. Remote attackers could leverage this vulnerability to cause a denial-of-service or possibly unspecified other impact via a crafted pdf file.
by r4xis
CVSS 8.8
Foxit PDF Reader Pointer Overwrite UAF
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of typed arrays. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5380.
by mr_me
CVSS 6.5
Ecessa Edge EV150 10.7.4 - CSRF
Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials.
by LiquidWorm
CVSS 5.3
Ecessa WANWorx WVR-30 <10.7.4 - CSRF
Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page.
by LiquidWorm
CVSS 4.3
Ecessa ShieldLink SL175EHQ 10.7.4 - CSRF
Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page.
by LiquidWorm
CVSS 5.3
Intex N150 - CSRF
An issue was discovered on Intex N150 devices. The router firmware suffers from multiple CSRF injection point vulnerabilities including changing user passwords and router settings.
by Samrat Das
CVSS 8.8
Intex N150 - CSRF
An issue was discovered on Intex N150 devices. The router firmware suffers from multiple CSRF injection point vulnerabilities including changing user passwords and router settings.
by Samrat Das
CVSS 8.8
Intex N150 - Info Disclosure
An issue was discovered on Intex N150 devices. The backup/restore option does not check the file extension uploaded for importing a configuration files backup, which can lead to corrupting the router firmware settings or even the uploading of malicious files. In order to exploit the vulnerability, an attacker can upload any malicious file and force reboot the router with it.
by Samrat Das
CVSS 8.1
Foxitsoftware Foxit Reader < 9.0.1.1049 - Use After Free
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Text Annotations. When setting the point attribute, the process does not properly validate the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5620.
by mr_me
CVSS 8.8
iThemes Security <7.0.3 - SQL Injection
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
by Çlirim Emini
CVSS 7.2
WordPress Comments Import & Export <2.0.4 - Code Injection
The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
by Bhushan B. Patil
CVSS 7.8
WordPress <1.5.4 - Code Injection
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
by Bhushan B. Patil
CVSS 7.8
Linux Kernel < 4.17.2 - Denial of Service
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
by Google Security Research
CVSS 4.9
Ecessa Shieldlink Sl175ehq Firmware - CSRF
ECESSA ShieldLink SL175EHQ 10.7.4 devices have CSRF to add superuser accounts via the cgi-bin/pl_web.cgi/util_configlogin_act URI.
by LiquidWorm
CVSS 8.8
Digisol DG- BR4000NG - XSS
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
by Adipta Basu
CVSS 6.1
AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
by Wadeek
By Source