Text Exploits
31,386 exploits tracked across all sources.
Softros Network Time System 2.3.4 - Denial of Service via 11-Byte Packet
NTSServerSvc.exe in the server in Softros Network Time System 2.3.4 allows remote attackers to cause a denial of service (daemon crash) by sending exactly 11 bytes.
by hyp3rlinx
CVSS 7.5
ActivePDF Toolkit < 8.1.0.19023 - Remote Code Execution via Pictview Image Processing
The Pictview image processing library embedded in the ActivePDF toolkit through 2018.1.0.18321 is prone to multiple out of bounds write and sign errors, allowing a remote attacker to execute arbitrary code on vulnerable applications using the ActivePDF Toolkit to process untrusted images.
by François Goichon
CVSS 9.8
ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection
by SEC Consult
ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection
by SEC Consult
Suricata < 4.0.4 - HTTP Detection Bypass via TCP Handshake Evasion
Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.
by Positive Technologies
CVSS 5.3
Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation
by KoreLogic
DualDesk 20 - Remote Denial of Service via Long String to TCP Port 5500
Proxy.exe in DualDesk 20 allows Remote Denial Of Service (daemon crash) via a long string to TCP port 5500.
by hyp3rlinx
CVSS 7.5
uWSGI < 2.0.17 - Path Traversal via --php-docroot Option
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
by Marios Nicolaides
CVSS 7.5
TestLink < 1.9.16 - Remote Code Execution via DB Login Name Injection
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
by Manish Tanwar
CVSS 7.5
antsle antman <0.9.1a - Auth Bypass
antsle antman before 0.9.1a allows remote attackers to bypass authentication via invalid characters in the username and password parameters, as demonstrated by a username=>&password=%0a string to the /login URI. This allows obtaining root permissions within the web management console, because the login process uses Java's ProcessBuilder class and a bash script called antsle-auth with insufficient input validation.
by Joshua Bowser
CVSS 9.8
D-Link DIR-600M C1 3.01 - Stored Cross-Site Scripting via SSID or User Account Name
Cross Site Scripting (XSS) exists on the D-Link DIR-600M C1 3.01 via the SSID or the name of a user account.
by Prasenjit Kanti Paul
CVSS 5.4
routers2 2.24 - Cross-Site Scripting via rtr GET Parameter
A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, affecting the 'rtr' GET parameter in a page=graph action to cgi-bin/routers2.pl.
by Lorenzo Di Fuccia
CVSS 4.7
MyBB My Arcade Plugin 1.3 Persistent XSS via Comment
MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.
by 0xB9
CVSS 6.4
School Management Script 3.0.4 - SQL Injection via Parent Login Username and Password Fields
SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.
by Samiran Santra
CVSS 9.8
CMS Made Simple 2.1.6 - Remote Code Execution via Timezone Parameter in Installation
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
by Keerati T.
CVSS 7.5
Transmission - Integer Overflows Parsing Torrent Files
by Google Security Research
Trend Micro Email Encryption Gateway 5.5 - SQL Injection via Edit Policy Script
A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 edit policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
by Core Security
CVSS 9.8
Trend Micro Email Encryption Gateway 5.5 - SQL Injection via Policy Script
A SQL injection vulnerability in a Trend Micro Email Encryption Gateway 5.5 policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
by Core Security
CVSS 9.8
Trend Micro Email Encryption Gateway 5.5 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject client-side scripts into vulnerable systems.
by Core Security
CVSS 5.4
Trend Micro Email Encryption Gateway 5.5 - Reflected Cross-Site Scripting in Configuration Files
Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems.
by Core Security
CVSS 5.4
Trend Micro Email Encryption Gateway 5.5 - Authenticated XML External Entity Injection
An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.
by Core Security
CVSS 4.3
Trend Micro Email Encryption Gateway 5.5 - Cross-Site Request Forgery
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
by Core Security
CVSS 8.8
Trend Micro Email Encryption Gateway 5.5 - Unauthenticated Appliance Registration Manipulation
A missing authentication for appliance registration vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to manipulate the registration process of the product to reset configuration parameters.
by Core Security
CVSS 9.8
Trend Micro Email Encryption Gateway 5.5 - OS Command Injection via Log File Location Manipulation
Arbitrary logs location in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to change location of log files and be manipulated to execute arbitrary commands and attain command execution on a vulnerable system.
by Core Security
CVSS 7.8
Trend Micro Email Encryption Gateway 5.5 - Unvalidated Software Update
An unvalidated software update vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a man-in-the-middle attacker to tamper with an update file and inject their own.
by Core Security
CVSS 8.1
By Source