Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-15381 EXPLOITDB CRITICAL text
E-Sic 1.0 - SQL Injection via buscacep.php f Parameter
SQL Injection exists in E-Sic 1.0 via the f parameter to esiclivre/restrito/inc/buscacep.php (aka the zip code search script).
by Elber Tavares
CVSS 9.8
CVE-2017-15380 EXPLOITDB MEDIUM text
E-Sic 1.0 - Cross-Site Scripting via Nome Parameter
XSS exists in the E-Sic 1.0 /cadastro/index.php URI (aka the requester's registration area) via the nome parameter.
by Elber Tavares
CVSS 6.1
CVE-2017-15379 EXPLOITDB CRITICAL text
E-Sic 1.0 - Authentication Bypass via SQL Injection
An authentication bypass exists in the E-Sic 1.0 /index (aka login) URI via '=''or' values for the username and password.
by Elber Tavares
CVSS 9.8
CVE-2017-15378 EXPLOITDB HIGH text
E-Sic 1.0 - SQL Injection via Password Reset Parameter
SQL Injection exists in the E-Sic 1.0 password reset parameter (aka the cpfcnpj parameter to the /reset URI).
by Elber Tavares
CVSS 8.8
CVE-2017-15373 EXPLOITDB CRITICAL text
E-Sic 1.0 - SQL Injection via Search Private Area q Parameter
E-Sic 1.0 allows SQL injection via the q parameter to esiclivre/restrito/inc/lkpcep.php (aka the search private area).
by Guilherme Assmann
CVSS 9.8
CVE-2017-15284 EXPLOITDB MEDIUM text
OctoberCMS < 1.0.426 - Stored Cross-Site Scripting via SVG Avatar Upload
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
by Ishaq Mohammed
CVSS 5.4
CVE-2017-15291 EXPLOITDB MEDIUM text
TP-LINK TL-MR3220 Firmware - Stored Cross-Site Scripting via Wireless MAC Filtering Description Field
Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field.
by Thiago Sena
CVSS 6.1
CVE-2017-15287 EXPLOITDB MEDIUM text
Dreambox WebControl 2.0.0 - Cross-Site Scripting
There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
by Thiago Sena
CVSS 6.1
EIP-2026-103328 EXPLOITDB text
Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal
by Leonardo Duarte
EIP-2026-106101 EXPLOITDB text
Complain Management System - Hard-Coded Credentials / Blind SQL injection
by havysec
CVE-2017-14939 EXPLOITDB MEDIUM text
GNU Binutils 2.29 - Heap-Based Buffer Over-Read in decode_line_info
decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.
by Agostino Sarubbo
CVSS 5.5
EIP-2026-105945 EXPLOITDB text
ClipShare 7.0 - SQL Injection
by 8bitsec
CVE-2016-3309 EXPLOITDB HIGH text
Microsoft Windows - Privilege Escalation
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
by siberas
CVSS 7.8
CVE-2017-14712 EXPLOITDB MEDIUM text
EPESI < 1.8.2 - Stored Cross-Site Scripting in Tasks Phonecall Notes Title
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
by Zeeshan Shaikh
CVSS 5.4
CVE-2017-14717 EXPLOITDB MEDIUM text
EPESI < 1.8.2.4 - Stored Cross-Site Scripting in Tasks Description Parameter
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
by Zeeshan Shaikh
CVSS 5.4
CVE-2017-5124 EXPLOITDB MEDIUM text
Google Chrome < 62.0.3202.62 - Universal Cross-Site Scripting via MHTML Page
Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.
by Anton Lopanitsyn
CVSS 6.1
EIP-2026-101732 EXPLOITDB text
Fiberhome AN5506-04-F - Command Injection
by Tauco
EIP-2026-103234 EXPLOITDB text
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution
by agix
CVE-2017-14757 EXPLOITDB HIGH text
OpenText Document Sciences xPression <4.5SP1 Patch 13 - SQL Injection
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.
by Marcin Woloszyn
CVSS 8.8
CVE-2017-14758 EXPLOITDB HIGH text
OpenText Document Sciences xPression v4.5SP1 Patch 13 - SQL Injection
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.
by Marcin Woloszyn
CVSS 8.8
EIP-2026-101897 EXPLOITDB text
NPM-V (Network Power Manager) 2.4.1 - Password Reset
by Saeed reza Zamanian
EIP-2026-119543 EXPLOITDB text
Microsoft Word 2007 (x86) - Information Disclosure
by Eduardo Braun Prado
CVE-2017-0199 EXPLOITDB HIGH text
Microsoft Office Word Malicious Hta Execution
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
by Eduardo Braun Prado
CVSS 7.8
CVE-2017-14848 EXPLOITDB HIGH text
WPHRM Human Resource Management System for WordPress 1.0 - SQL Injection via employee_id Parameter
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
by Ihsan Sencan
CVSS 8.8
CVE-2017-15956 EXPLOITDB HIGH text
ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download via Token Parameter
ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php.
by Ihsan Sencan
CVSS 7.5