Text Exploits
31,386 exploits tracked across all sources.
Nanopool Claymore Dual Miner <7.3 - RCE
Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if the software is executed with read/write mode enabled.
by ReverseBrain
CVSS 7.5
SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
by L0RD
SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
by L0RD
Schneider Electric IONXXXX Series - Cross-Site Request Forgery
An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved.
by t4rkd3vilz
CVSS 8.8
Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
by L0RD
CVSS 6.5
Admin Notes 1.1 - Cross-Site Request Forgery via Clear Table Action
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
by 0xB9
CVSS 6.5
Rockwell Automation CompactLogix 1769-L* < 28.011 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in the web server in Rockwell Automation Allen-Bradley CompactLogix 1769-L* before 28.011+ allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
by t4rkd3vilz
CVSS 6.1
Windows Kernel API - Elevation of Privilege via Permission Enforcement
An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions, aka "Windows Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.
by Google Security Research
CVSS 7.0
VirtueMart < 3.2.14 - Stored Cross-Site Scripting via Backend Textarea Closure
An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the backend of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the </textarea>, leading to a possible XSS.
by Mattia Furlani
CVSS 5.4
Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting
by L0RD
RSA Authentication Manager < 8.3 - XML External Entity Injection via Malicious DTD
RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.
by SEC Consult
CVSS 7.1
XATABoost CMS 1.0.0 SQL Injection via news.php
XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database information.
by MgThuraMoeMyint
CVSS 8.2
WUZHI CMS 4.1.0 - XSS
A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI.
by jiguang
CVSS 6.1
WUZHI CMS 4.1.0 - XSS
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
by jiguang
CVSS 5.4
Open-AudIT Professional 2.1.1 - Stored Cross-Site Scripting via Component Name Field
Cross-site scripting (XSS) vulnerability in Open-AudIT Professional 2.1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the Admin->Logs section (with a logs?logs.type= URI) and the Manage->Attributes section (via the "Name (display)" field to the attributes/create URI).
by Tejesh Kolisetty
CVSS 5.4
Open-AudIT Community 2.2.0 - Stored Cross-Site Scripting via Component Name
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
by Tejesh Kolisetty
CVSS 5.4
EMC RecoverPoint <5.1.1, 5.0.1.3 - Command Injection
An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Admin CLI may allow a malicious user with admin privileges to escape from the restricted shell to an interactive shell and run arbitrary commands with root privileges.
by Paul Taylor
CVSS 6.7
MyBB Latest Posts on Profile 1.1 - XSS
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
by 0xB9
CVSS 5.4
ModbusPal 1.6b - XML External Entity Injection via Crafted .xmpp or .xmpa Files
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.
by Trent Gordon
CVSS 5.5
Microsoft Windows FxCop 10/12 - XML External Entity Injection
by hyp3rlinx
DeviceLock Plug and Play Auditor <5.72 - Buffer Overflow
DLPnpAuditor.exe in DeviceLock Plug and Play Auditor (freeware) 5.72 has a Unicode Buffer Overflow (SEH).
by hyp3rlinx
CVSS 7.8
CSP MySQL User Manager 2.3.1 - SQL Injection and Authentication Bypass via Login Username
CSP MySQL User Manager 2.3.1 allows SQL injection, and resultant Authentication Bypass, via a crafted username during a login attempt.
by Youssef Mami
CVSS 9.8
GNU Wget < 1.19.5 - Cookie Injection via HTTP Response Continuation Line
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.
by Harry Sintonen
CVSS 6.5
By Source