Text Exploits
31,383 exploits tracked across all sources.
CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
by Daniel González
Credit Lite 1.5.4 - SQL Injection via POST Request Handler
A vulnerability classified as critical was found in Codecanyon Credit Lite 1.5.4. Affected by this vulnerability is an unknown functionality of the file /portal/reports/account_statement of the component POST Request Handler. The manipulation of the argument date1/date2 leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-237511.
by CraCkEr
CVSS 6.3
Blood Donor Management System v1.0 - Stored XSS
by Ehlullah Albayrak
Pi-hole AdminLTE < 5.17 - Unauthenticated Improper Access Control in queryads Endpoint
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
`/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
by kv1to
CVSS 5.3
User Registration & Login and User Management System With Admin Panel 3.0 - SQL Injection via Admin Username Field
SQL Injection vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to obtain sensitive information via crafted string in the admin user name field on the admin log in page.
by Ashutosh Singh Umath
CVSS 9.8
User Registration & Login System 3.0 - Stored XSS via Registration Form
Cross Site Scripting (XSS) vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to run arbitrary code via fname, lname, email, and contact fields of the user registration page.
by Ashutosh Singh Umath
CVSS 5.4
TSplus Remote Access <16.0.2.14 - Info Disclosure
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.
by shinnai
CVSS 9.8
TSplus Remote Access <16.0.2.14 - Info Disclosure
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.
by shinnai
CVSS 9.8
TSplus Remote Access <16.0.2.14 - Info Disclosure
An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.
by shinnai
CVSS 9.8
Inosoft VisiWin <2022-2.1 - Privilege Escalation
An issue was discovered in Inosoft VisiWin 7 through 2022-2.1 (Runtime RT7.3 RC3 20221209.5). The "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder has weak permissions for Everyone, allowing an attacker to insert a Trojan horse file that runs as SYSTEM. 2024-1 is a fixed version.
by shinnai
CVSS 7.8
PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities
by Kerimcan Ozturk
Global - Multi School Management System Express v1.0- SQL Injection
by Ahmet Ümit BAYRAM
Crypto Currency Tracker < 9.5 - Unauthenticated Admin Registration via User Registration Page
Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.
by 0xBr
CVSS 9.8
Color Prediction Game v1.0 - SQL Injection
by Ahmet Ümit BAYRAM
EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download
by LiquidWorm
EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR)
by LiquidWorm
OutSystems Service Studio 11 11.53.30 - Uncontrolled Search Path Element via .oml File Handling
A DLL hijacking vulnerability has been discovered in OutSystems Service Studio 11 11.53.30 build 61739. When a user open a .oml file (OutSystems Modeling Language), the application will load the following DLLs from the same directory av_libGLESv2.dll, libcef.DLL, user32.dll, and d3d10warp.dll. Using a crafted DLL, it is possible to execute arbitrary code in the context of the current logged in user.
by shinnai
CVSS 7.8
Lucee 5.4.2.17 - Authenticated Reflected Cross-Site Scripting via Admin Interface Parameters
Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions.
by Yehia Elghaly
PyroCMS 3.9 - Remote Code Execution via Server-Side Template Injection
PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.
by Daniel Barros
CVSS 9.8
mooSocial mooStore 3.1.6 - Cross-Site Scripting
A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The identifier VDB-236209 was assigned to this vulnerability.
by CraCkEr
CVSS 3.5
By Source