Text Exploits
31,329 exploits tracked across all sources.
Sophos Cyberoam Firmware < 10.6.4 - XSS
An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a request to the "LiveConnectionDetail.jsp" application. GET parameters "applicationname" and "username" are improperly sanitized allowing an attacker to inject arbitrary JavaScript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. A vulnerable URI is /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp.
by Bhadresh Patel
CVSS 6.1
Apple Iphone OS < 10.3.2 - Memory Corruption
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "Foundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data.
by Google Security Research
CVSS 9.8
Apple Iphone OS < 10.3.2 - Memory Corruption
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreFoundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data.
by Google Security Research
CVSS 9.8
Apple Iphone OS < 10.3.2 - Memory Corruption
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "TextInput" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data.
by Google Security Research
CVSS 9.8
Apple Mac OS X < 10.12.4 - Memory Corruption
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "CoreAnimation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory consumption and application crash) via crafted data.
by Google Security Research
CVSS 9.8
Apple <10.12.5 - Info Disclosure
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
by Google Security Research
CVSS 5.0
Apple <10.12.5 - Info Disclosure
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
by Google Security Research
CVSS 5.5
PlaySMS 1.4 - RCE
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
by Touhid M.Shaikh
CVSS 9.8
Secure Bytes SCA 3.0 - Path Traversal
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.
by hyp3rlinx
CVSS 7.5
Mantisbt < 1.3.10 - CSRF
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI.
by hyp3rlinx
CVSS 6.5
KMC Information Systems Caseaware - XSS
An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string.
by justpentest
CVSS 6.1
D-Link DIR-600M <3.04 - Auth Bypass
login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt.
by Touhid M.Shaikh
CVSS 8.8
SAP Business One for Android <1.2.3 - XSS
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.
by Ravindra Singh Rathore
CVSS 9.6
Tecnovision Dlx Spot Player4 - SQL Injection
SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password.
by Simon Brannstrom
CVSS 9.8
Tecnovision Dlx Spot Player4 - Unrestricted File Upload
Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.
by Simon Brannstrom
CVSS 8.8
Joomla! <3.7.1 - SQL Injection
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
by Mateus Lino
CVSS 9.8
Belden Garrettcom 6K/10K Switches - Authentication Bypass / Memory Corruption
by David Tomaschik
Tecnovision Dlx Spot Player4 - SQL Injection
SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password.
by Simon Brannstrom
CVSS 9.8
Oracle PeopleSoft Products - Unauth Info Disclosure
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
by ERPScan
CVSS 6.5
Infor Enterprise Asset Management - XSS
INFOR EAM V11.0 Build 201410 has XSS via comment fields.
by Yoroi
CVSS 5.4
Infor Enterprise Asset Management - SQL Injection
INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.
by Yoroi
CVSS 8.8
Microsoft Windows - Privilege Escalation
Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when Windows fails to properly validate input before loading type libraries, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0213.
by Google Security Research
CVSS 7.0
Adobe Flash Player < 25.0.0.127 - Memory Corruption
Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable memory corruption vulnerability when parsing a shape outline. Successful exploitation could lead to arbitrary code execution.
by Google Security Research
CVSS 7.8
By Source