Text Exploits
31,383 exploits tracked across all sources.
mooSocial mooStore 3.1.6 - Cross-Site Scripting via Search Query Parameter
A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-236208.
by CraCkEr
CVSS 3.5
Templatecookie Adlisting 2.14.0 - Information Disclosure in Redirect Handler
A vulnerability was found in Templatecookie Adlisting 2.14.0. It has been classified as problematic. Affected is an unknown function of the file /ad-list of the component Redirect Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-236184. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter
Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft.
by CraCkEr
CVSS 6.1
WordPress adivaha Travel Plugin 2.3 SQL Injection via pid
WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service.
by CraCkEr
CVSS 8.2
WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile
WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials.
by CraCkEr
CVSS 6.1
Creativeitem Academy LMS 7.0 - Reflected Cross-Site Scripting via Search Parameter
Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint.
by CraCkEr
CVSS 6.1
Webutler 3.2 - Authenticated Remote Code Execution via PHAR File Upload
Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file.
by Mirabbas Ağalarov
CVSS 7.2
Webedition CMS 2.9.8.8 - Authenticated Stored Cross-Site Scripting via SVG Upload
Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users.
by Mirabbas Ağalarov
CVSS 5.4
Webedition CMS <2.9.8.8 - Authenticated RCE
Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server.
by Mirabbas Ağalarov
CVSS 7.2
JLex GuestBook 1.6.4 - Reflected Cross-Site Scripting via URL Parameter
JLex GuestBook 1.6.4 contains a reflected cross-site scripting vulnerability in the 'q' URL parameter that allows attackers to inject malicious scripts. Attackers can craft malicious links with XSS payloads to steal session tokens or execute arbitrary JavaScript in victims' browsers.
by CraCkEr
Ozeki SMS Gateway <=10.3.208 - Path Traversal
Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability. Successful exploitation allows an unauthenticated attacker to use URL-encoded traversal sequences to read arbitrary files from the underlying filesystem with the privileges of the gateway service, leading to disclosure of sensitive information.
by Ahmet Ümit BAYRAM
Forminator < 1.24.6 - Unauthenticated Arbitrary File Upload via upload_post_image()
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
by Mehmet Kelepçe
CVSS 9.8
EventON WordPress Plugin < 2.1.2 - Unauthenticated Insecure Direct Object Reference via event_id Parameter
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
by Miguel Santareno
CVSS 5.3
EventON < 2.1.2 - Unauthenticated Insecure Direct Object Reference via eventon_ics_download AJAX Action
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
by Miguel Santareno
CVSS 5.3
PHPJabbers Taxi Booking 2.0 - Cross-Site Scripting via Index Parameter
A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-235963. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Shuttle Booking Software 1.0 - Cross-Site Scripting in /index.php
A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-235959. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Service Booking Script 1.0 - Cross-Site Scripting via Index Parameter
A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-235960. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHP Jabbers Rental Property Booking 2.0 - Cross-Site Scripting via Index Parameter
A vulnerability, which was classified as problematic, has been found in PHP Jabbers Rental Property Booking 2.0. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235964. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Night Club Booking Software 1.0 - Cross-Site Scripting via Index Parameter
A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting via Index Parameter
A vulnerability classified as problematic has been found in PHP Jabbers Cleaning Business 1.0. Affected is an unknown function of the file /index.php. The manipulation of the argument index leads to cross site scripting. It is possible to launch the attack remotely. VDB-235962 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
Campcodes Online Matrimonial Website System Script <3.3 - XSS
install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.
by Rajdip Dey Sarkar
CVSS 9.8
Adiscon Aiscon LogAnalyzer <4.1.13 - XSS
A Cross Site Scripting (XSS) vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php, details.php, index.php, search.php, export.php, reports.php, and statistics.php components.
by Pedro
CVSS 6.1
Academy LMS 6.0 - Cross-Site Scripting via Query/Sort_By Parameter
A vulnerability has been found in Academy LMS 6.0 and classified as problematic. This vulnerability affects unknown code of the file /academy/home/courses. The manipulation of the argument query/sort_by leads to cross site scripting. The attack can be initiated remotely. VDB-235966 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
Shelly 4PM Pro <0.11.0 - Memory Corruption
Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to trigger a BLE out of bounds read fault condition that results in a device reload.
by The Security Team [exploitsecurity.io]
CVSS 5.3
By Source