Exploitdb Exploits
31,329 exploits tracked across all sources.
Softwarepublico E-sic - SQL Injection
E-Sic 1.0 allows SQL injection via the q parameter to esiclivre/restrito/inc/lkpcep.php (aka the search private area).
by Guilherme Assmann
CVSS 9.8
October < 1.0.426 - XSS
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
by Ishaq Mohammed
CVSS 5.4
Tp-link Tl-mr3220 Firmware - XSS
Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field.
by Thiago Sena
CVSS 6.1
Dreambox WebControl 2.0.0 - Cross-Site Scripting
There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
by Thiago Sena
CVSS 6.1
Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal
by Leonardo Duarte
Complain Management System - Hard-Coded Credentials / Blind SQL injection
by havysec
GNU Binutils - Out-of-Bounds Read
decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.
by Agostino Sarubbo
CVSS 5.5
Microsoft Windows - Privilege Escalation
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
by siberas
CVSS 7.8
EPESI <1.8.2 - XSS
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
by Zeeshan Shaikh
CVSS 5.4
EPESI <1.8.2 - XSS
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
by Zeeshan Shaikh
CVSS 5.4
Google Chrome <62.0.3202.62 - XSS
Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.
by Anton Lopanitsyn
CVSS 6.1
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution
by agix
OpenText Document Sciences xPression <4.5SP1 Patch 13 - SQL Injection
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.
by Marcin Woloszyn
CVSS 8.8
OpenText Document Sciences xPression v4.5SP1 Patch 13 - SQL Injection
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.
by Marcin Woloszyn
CVSS 8.8
NPM-V (Network Power Manager) 2.4.1 - Password Reset
by Saeed reza Zamanian
Microsoft Word 2007 (x86) - Information Disclosure
by Eduardo Braun Prado
Microsoft Office Word Malicious Hta Execution
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
by Eduardo Braun Prado
CVSS 7.8
WPHRM 1.0 - SQL Injection
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
by Ihsan Sencan
CVSS 8.8
Converto Video Downloader & Converter - Improper Input Validation
ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php.
by Ihsan Sencan
CVSS 7.5
Trend Micro OfficeScan 11.0 - Use After Free
Pre-authorization Start Remote Process vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to start the fcgiOfcDDA.exe executable or cause a potential INI corruption, which may cause the server disk space to be consumed with dump files from continuous HTTP requests.
by hyp3rlinx
CVSS 7.5
Trend Micro OfficeScan <11.0 - RCE
A potential Man-in-the-Middle (MitM) attack vulnerability in Trend Micro OfficeScan 11.0 and XG may allow attackers to execute arbitrary code on vulnerable installations.
by hyp3rlinx
CVSS 8.1
Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass
by hyp3rlinx
Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution
by Eduardo Braun Prado
By Source