Text Exploits
31,386 exploits tracked across all sources.
Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
by Paul Taylor
Frappe ERPNext v11.x.x-develop - Stored Cross-Site Scripting via Comment
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
by Veerababu Penugonda
CVSS 6.1
MakeMyTrip 7.2.4 - Cleartext Storage of Sensitive Information in Local Databases
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
by Divya Jain
CVSS 6.5
Zenar Content Management System Cross-Site Scripting via ajax.php
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current_page parameter sent to the ajax.php endpoint, which reflects unsanitized user input in the response HTML to execute arbitrary JavaScript in victim browsers.
by Berk Dusunur
CVSS 6.1
Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer
Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system.
by Safak Aslan
CVSS 5.3
Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery via URL Parameter
Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP requests to arbitrary destinations.
by LiquidWorm
CVSS 6.5
Schneider Electric Modicon Quantum, M340, and Premium PLC - Cross-Site Request Forgery
Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials.
by t4rkd3vilz
Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities
by L0RD
Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery
by L0RD
Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery
by L0RD
Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities
by L0RD
Siemens SIMATIC S7-1200 <4.1.3 - CSRF
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
by t4rkd3vilz
ManageEngine Recovery Manager Plus < 5.3 - Stored XSS via technicianAction.do loginName
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.
by Ahmet Gurel
CVSS 5.4
Joomla! EkRishta 2.10 Persistent XSS and SQL Injection
Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries.
by Sina Kheirkhah
CVSS 8.2
D-Link DSL-3782 Firmware - Unauthenticated Authentication Bypass in Login Panel
A flaw in the authentication mechanism in the Login Panel of router D-Link DSL-3782 (A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67") allows unauthenticated attackers to perform arbitrary modification (read, write) to passwords and configurations meanwhile an administrator is logged into the web panel.
by Giulio Comi
CVSS 9.8
Monstra CMS < 3.0.4 - Cross-Site Scripting via index.php
Monstra CMS 3.0.4 and earlier has XSS via index.php.
by Berk Dusunur
CVSS 6.1
Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery
by L0RD
Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery
by L0RD
SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure
by Richard Alviarez
SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
by Richard Alviarez
By Source