Exploitdb Exploits
31,341 exploits tracked across all sources.
ChurchCRM <4.5.4 - XSS
ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.
by Rahad Chowdhury
CVSS 4.8
Bludit v3.14.1 - XSS
Bludit v3.14.1 is vulnerable to Stored Cross Site Scripting (XSS) via SVG file on site logo. NOTE: the product's security model is that users are trusted by the administrator to insert arbitrary content (users cannot create their own accounts through self-registration).
by Rahad Chowdhury
CVSS 5.4
Squarepiginteractive Fusioninvoice - XSS
Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionInvoice 2023-1.0, allows attackers to execute arbitrary code via the description or content fields to the expenses, tasks, and customer details.
by Andrea Intilangelo
CVSS 6.1
Yank Note <3.52.1 - RCE
Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').
by 8bitsec
CVSS 8.8
Gin 0.7.4 - RCE
Gin 0.7.4 allows execution of arbitrary code when a crafted file is opened, e.g., via require('child_process').
by 8bitsec
CVSS 7.8
PnPSCADA - SQL Injection
The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data, highlighting the severity of this vulnerability.
by Momen Eldawakhly
CVSS 9.8
Optoma 1080pstx - Authentication Bypass
An authentication bypass in Optoma 1080PSTX C02 allows an attacker to access the administration console without valid credentials.
by Anthony Cole
CVSS 9.8
TinyWebGallery v2.5 - XSS
TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.
by Mirabbas Ağalarov
CVSS 5.4
RockMongo 1.1.7 - XSS
RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute arbitrary JavaScript in victim's browser.
by Rafael Pedrero
CVSS 5.4
Epson Stylus SX510W - DoS
The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting in the printer process shutting down or powering off, causing a denial of service condition.
by Rafael Pedrero
BigProf Online Clinic Management System 2.2 - XSS
A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
by Rafael Pedrero
CVSS 6.3
EasyPHP Webserver 14.1 - Path Traversal
EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini.
by Rafael Pedrero
CVSS 6.5
EasyPHP Webserver 14.1 - Command Injection
EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges.
by Rafael Pedrero
CVSS 9.8
Codigo Markdown Editor 1.0.1 - Code Injection
Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js child_process module when the file is opened.
by 8bitsec
CVSS 7.8
UliCMS 2023.1 - XSS
UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.
by Mirabbas Ağalarov
CVSS 6.1
UliCMS 2023.1-sniffing-vicuna - RCE
UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.
by Mirabbas Ağalarov
CVSS 8.8
pluck v4.7.18 - Stored Cross-Site Scripting (XSS)
by Mirabbas Ağalarov
KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)
by nu11secur1ty
Jedox Cloud - Path Traversal
A Directory Traversal vulnerability in /be/erpc.php in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to execute arbitrary code.
by Team Syslifters
CVSS 8.8
Jedox - Insufficiently Protected Credentials
An Information disclosure vulnerability in /be/rpc.php in Jedox GmbH Jedox 2020.2.5 allow remote, authenticated users with permissions to modify database connections to disclose a connections' cleartext password via the 'test connection' function.
by Team Syslifters
CVSS 5.3
Jedox - Code Injection
A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.
by Team Syslifters
CVSS 7.5
Jedox - XSS
A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module 'log'.
by Team Syslifters
CVSS 5.4
Jedox GmbH Jedox <2020.2.5 - Command Injection
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts.
by Team Syslifters
CVSS 8.8
By Source