Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-10371 EXPLOITDB MEDIUM text
wunderfarm WF Cookie Consent 1.1.3 - Stored Cross-Site Scripting via Page Title
An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser via a page title.
by B0UG
CVSS 6.1
CVE-2015-1503 EXPLOITDB HIGH text
IceWarp Mail Server <11.2 - Path Traversal
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php.
by Trustwave's SpiderLabs
CVSS 7.5
CVE-2018-6065 EXPLOITDB HIGH text VERIFIED
Google Chrome <65.0.3325.146 - Heap Corruption
Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
by Google Security Research
CVSS 8.8
CVE-2018-5430 EXPLOITDB HIGH text
TIBCO JasperReports Server - Info Disclosure
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
by Hector Monsegur
CVSS 8.8
EIP-2026-118345 EXPLOITDB text
Call of Duty Modern Warefare 2 - Buffer Overflow
by momo5502
EIP-2026-116728 EXPLOITDB text
Adobe Reader PDF - Client Side Request Injection
by Alex Inführ
EIP-2026-116224 EXPLOITDB text
Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service
by Tenable NS
CVE-2018-9302 EXPLOITDB CRITICAL text
Cockpit 0.4.4-0.5.5 - Server-Side Request Forgery via URL Parameter
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14611, which was about version 0.13.0, which (surprisingly) is an earlier version than 0.4.4.
by Qian Wu_ Bo Wang_ Jiawang Zhang
CVSS 9.1
CVE-2018-5234 EXPLOITDB HIGH text
Norton Core <v237 - Command Injection
The Norton Core router prior to v237 may be susceptible to a command injection exploit. This is a type of attack in which the goal is execution of arbitrary commands on the host system via vulnerable software.
by embedi
CVSS 8.0
CVE-2018-10309 EXPLOITDB MEDIUM text
Responsive Cookie Consent <1.8 - XSS
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
by B0UG
CVSS 5.4
CVE-2018-10504 EXPLOITDB HIGH text VERIFIED
WebDorado Form Maker by WD <1.12.24 - Code Injection
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.
by Sairam Jetty
CVSS 7.8
CVE-2018-4139 EXPLOITDB HIGH text VERIFIED
macOS < 10.13.4 - Remote Code Execution in kext tools
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
by Google Security Research
CVSS 7.8
CVE-2018-10366 EXPLOITDB MEDIUM text
user_project/user and rainlab/user-plugin < 1.5.0 - Stored Cross-Site Scripting in Name Field
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
by 0xB9
CVSS 6.1
CVE-2018-10365 EXPLOITDB MEDIUM text
Threads to Link plugin 1.3 - MyBB - XSS
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
by 0xB9
CVSS 5.4
CVE-2018-10321 EXPLOITDB MEDIUM text
Frog CMS 0.9.5 - XSS
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
by Wenming Jiang
CVSS 4.8
CVE-2016-10036 EXPLOITDB CRITICAL text
JFrog Artifactory < 4.16 - Unauthenticated Unrestricted File Upload via UI Artifact Upload
Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file.
by Alessio Sergi
CVSS 9.8
EIP-2026-102064 EXPLOITDB text
TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Remote Reboot
by Wadeek
CVE-2018-10258 EXPLOITDB HIGH text
Shopy Point of Sale <1.0 - Code Injection
A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
by 8bitsec
CVSS 8.8
CVE-2018-10260 EXPLOITDB HIGH text
HRSALE The Ultimate HRM 1.0.2 - LFI
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
by 8bitsec
CVSS 8.8
CVE-2018-10257 EXPLOITDB HIGH text
HRSALE The Ultimate HRM <1.0.2 - Command Injection
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
by 8bitsec
CVSS 8.8
CVE-2018-10259 EXPLOITDB MEDIUM text
HRSALE The Ultimate HRM <1.0.2 - XSS
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
by 8bitsec
CVSS 5.4
CVE-2018-10256 EXPLOITDB HIGH text
HRSALE The Ultimate HRM <1.0.2 - SQL Injection
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query.
by 8bitsec
CVSS 8.8
CVE-2018-7602 EXPLOITDB CRITICAL text VERIFIED
Drupal 7.x < 7.59 - Remote Code Execution
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
by Blaklis
CVSS 9.8
CVE-2018-10255 EXPLOITDB HIGH text
clustercoding Blog Master Pro v1.0 - Command Injection
A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
by 8bitsec
CVSS 8.8
CVE-2018-9137 EXPLOITDB MEDIUM text
open-audit < 2.1 - CSV Injection
Open-AudIT before 2.2 has CSV Injection.
by Sureshbabu Narvaneni
CVSS 6.8