Text Exploits
31,341 exploits tracked across all sources.
Wifi-soft Unibox Administration - SQL Injection
Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.
by Ansh Jain
CVSS 9.8
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
by Vulnerability-Lab
PaulPrinting CMS - (Search Delivery) Cross Site Scripting
by Vulnerability-Lab
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities
by Vulnerability-Lab
Aures Booking & POS Terminal - Local Privilege Escalation
by Vulnerability-Lab
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
by Vulnerability-Lab
RWS WorldServer <11.7.3 - Info Disclosure
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
by RedTeam Pentesting GmbH
CVSS 5.3
Microsoft Office - Privilege Escalation
Microsoft Office Elevation of Privilege Vulnerability
by nu11secur1ty
CVSS 7.8
Blackcat CMS 1.4 - RCE
Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's PHP file with a 'code' parameter.
by Mirabbas Ağalarov
CVSS 7.2
Blackcat CMS 1.4 - XSS
Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page.
by Mirabbas Ağalarov
CVSS 5.4
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)
by Mirabbas Ağalarov
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
by Mirabbas Ağalarov
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
by Mirabbas Ağalarov
Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
by Mirabbas Ağalarov
TP-Link TL-WR740N - Authenticated Directory Transversal
by Anish Feroz
Winter < 1.2.3 - XSS
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
by abhishek morla
CVSS 2.0
ProjeQtOr Project Management System v10.4.1 - Multiple XSS
by Mirabbas Ağalarov
News Portal v4.0 - SQL Injection (Unauthorized)
by Hubert Wojciechowski
Cisco UCS Director Unauthenticated Remote Code Execution
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.
by Fatih Sencer
CVSS 9.8
By Source