Text Exploits
31,383 exploits tracked across all sources.
Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links.
by CraCkEr
CVSS 6.1
Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword
Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials.
by CraCkEr
CVSS 6.1
Joomla HikaShop 4.7.4 Reflected XSS via Product Filter
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.
by CraCkEr
CVSS 6.1
Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials.
by CraCkEr
CVSS 6.1
Zomplog 3.9 - Authenticated Stored Cross-Site Scripting via Page Creation
Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.
by Mirabbas Ağalarov
CVSS 5.4
mRemoteNG <= 1.76.20 and <= 1.77.3-dev - Cleartext Storage of Sensitive Information in Memory
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
by Maximilian Barz
CVSS 7.5
copyparty < 1.8.7 - Reflected Cross-Site Scripting via URL Parameters
copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue.
by Vartamtezidis Theodoros
CVSS 6.3
copyparty 1.8.2 - Directory Traversal
by Vartamtezidis Theodoros
RosarioSIS 10.8.4 - CSV Injection via Periods Module
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
by Ranjeet Jaiswal
CVSS 5.4
October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)
by Okan Kurtulus
mooSocial mooDating 1.2 - Cross-Site Scripting in URL Handler
A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-235200. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
by CraCkEr
CVSS 3.5
Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
by Andrey Stoykov
Perch CMS 3.2 - Authenticated Stored Cross-Site Scripting via SVG File Upload
Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks.
by Mirabbas Ağalarov
CVSS 5.4
Perch CMS 3.2 - Authenticated Remote Code Execution via Arbitrary PHP File Upload
Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server.
by Mirabbas Ağalarov
CVSS 7.2
Wifi Soft Unibox Administration 3.0-3.1 - SQL Injection via Login Username Field
Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.
by Ansh Jain
CVSS 9.8
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
by Vulnerability-Lab
PaulPrinting CMS - (Search Delivery) Cross Site Scripting
by Vulnerability-Lab
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities
by Vulnerability-Lab
Aures Booking & POS Terminal - Local Privilege Escalation
by Vulnerability-Lab
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
by Vulnerability-Lab
RWS WorldServer <11.7.3 - Info Disclosure
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
by RedTeam Pentesting GmbH
CVSS 5.3
Microsoft Office - Privilege Escalation
Microsoft Office Elevation of Privilege Vulnerability
by nu11secur1ty
CVSS 7.8
By Source