Text Exploits
31,386 exploits tracked across all sources.
INFOR EAM V11.0 Build 201410 - Stored Cross-Site Scripting via Comment Fields
INFOR EAM V11.0 Build 201410 has XSS via comment fields.
by Yoroi
CVSS 5.4
INFOR EAM V11.0 Build 201410 - SQL Injection via Search Filter Value Parameter
INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.
by Yoroi
CVSS 8.8
Microsoft Windows - Privilege Escalation
Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when Windows fails to properly validate input before loading type libraries, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0213.
by Google Security Research
CVSS 7.0
Adobe Flash Player <= 25.0.0.127 - Memory Corruption via Shape Outline Parsing
Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable memory corruption vulnerability when parsing a shape outline. Successful exploitation could lead to arbitrary code execution.
by Google Security Research
CVSS 7.8
Adobe Flash Player <= 25.0.0.127 - Memory Corruption in SWF Parser
Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable memory corruption vulnerability in the SWF parser. Successful exploitation could lead to arbitrary code execution.
by Google Security Research
CVSS 9.8
Adobe Flash Player < 25.0.0.148 - Memory Corruption in Advanced Video Coding Engine
Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable memory corruption vulnerability in the Advanced Video Coding engine. Successful exploitation could lead to arbitrary code execution.
by Google Security Research
CVSS 8.8
iPhone OS < 10.3.1 - Denial of Service in Notifications Component
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. The issue involves the "Notifications" component. It allows attackers to cause a denial of service via a crafted app.
by CoffeeBreakers
CVSS 5.5
Windows 7 SP1 and Windows Server 2008 SP2/R2 SP1 - Authenticated Information Disclosure via Crafted Document
The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka "Windows Kernel Information Disclosure Vulnerability," a different vulnerability than CVE-2017-0220, CVE-2017-0258, and CVE-2017-0259.
by Google Security Research
CVSS 4.7
Windows 7 SP1, Server 2008 SP2/R2 SP1, 2012 Gold - Authenticated Info Disclosure via Crafted Document
The Windows kernel in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, and Windows Server 2012 Gold allows authenticated attackers to obtain sensitive information via a specially crafted document, aka "Windows Kernel Information Disclosure Vulnerability," a different vulnerability than CVE-2017-0175, CVE-2017-0258, and CVE-2017-0259.
by Google Security Research
CVSS 4.7
mailcow 0.14 - Cross-Site Request Forgery
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
by hyp3rlinx
CVSS 8.8
PlaySMS 1.4 - Remote Code Execution
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.
by Touhid M.Shaikh
CVSS 8.8
Blackwave Dive Assistant - Desktop Edition 8.0 - Info Disclosure
XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.
by Trent Gordon
CVSS 5.5
MiniUPnP MiniUPnPc 1.4.20101221-2.0 - Denial of Service via Integer Signedness Error
Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v2.0 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
by tintinweb
CVSS 9.8
QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass
by Kacper Szurek
CMS Made Simple 2.1.6 - Authenticated PHP Code Execution via Edit User Tag
CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug.
by Osanda Malith Jayathissa
CVSS 7.2
Microsoft Malware Protection Engine < 1.1.13701.0 - Remote Code Execution via Crafted File Scan
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."
by Google Security Research
CVSS 7.8
I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
by SEC Consult
I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
by SEC Consult
wolfSSL < 3.10.2 - Certificate Validation Bypass via Crafted x509 Certificate
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.
by Talos
CVSS 9.8
Personify360 e-Business <7.6.1 - Info Disclosure
An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1. When going to the /TabId/275 URI, while creating a new role, a list of database tables and their columns is available.
by Pesach Zirkind
CVSS 7.5
Personify360 e-Business <7.6.1 - Info Disclosure
An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1. When going to the /TabId/275 URI, anyone can add a vendor account or read existing vendor account data (including usernames and passwords).
by Pesach Zirkind
CVSS 9.8
LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers
by Google Security Research
LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflow
by Google Security Research
LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls
by Google Security Research
By Source