Text Exploits
31,392 exploits tracked across all sources.
Advanced Electron Forum 1.0.9 - Persistent Cross-Site Scripting
by hyp3rlinx
Advanced Electron Forum 1.0.9 - Cross-Site Request Forgery
by hyp3rlinx
Amanda 3.3.1 - Privilege Escalation via Amstar --star-path Argument
An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. Amstar is an Amanda Application API script. It should not be run by users directly. It uses star to backup and restore data. It runs binaries with root permissions when parsing the command line argument --star-path.
by Hacker Fantastic
CVSS 7.8
Roundcube Webmail < 1.0.8 and 1.1.x < 1.1.4 - Authenticated Path Traversal via _skin Parameter
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.
by High-Tech Bridge SA
CVSS 7.5
Bitrix mcart.xls <6.5.2 - SQL Injection
Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (3) xls_iblock_section_id, (4) firstRow, (5) titleRow, (6) firstColumn, (7) highestColumn, (8) sku_iblock_id, or (9) xls_iblock_section_id_new parameter to admin/mcart_xls_import_step_2.php.
by High-Tech Bridge SA
CVSS 8.0
Manage Engine Applications Manager 12 - Multiple Vulnerabilities
by Bikramaditya Guha
Microsoft Windows - Remote Code Execution via Crafted File in DirectShow
DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted file, aka "DirectShow Heap Corruption Remote Code Execution Vulnerability."
by Google Security Research
CVSS 7.8
Microsoft Windows - Untrusted Search Path DLL Loading Privilege Escalation
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle DLL loading, which allows local users to gain privileges via a crafted application, aka "DLL Loading Remote Code Execution Vulnerability."
by Google Security Research
CVSS 7.8
FingerTec Fingerprint Reader - Remote Access and Remote Enrolment
by Daniel Lawson
Adobe Flash Player < 18.0.0.268 - Use-After-Free
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, and CVE-2015-8650.
by Google Security Research
CVSS 8.8
Adobe Flash Player < 18.0.0.324, 19.x-20.x < 20.0.0.267, AIR < 20.0.0.233 - Use-After-Free
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8634, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, and CVE-2015-8650.
by Google Security Research
CVSS 8.8
Adobe AIR < 20.0.0.233 - Remote Code Execution via Memory Corruption
Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-8459, CVE-2015-8460, and CVE-2015-8645.
by Google Security Research
CVSS 8.8
WordPress Plugin WP Symposium Pro Social Network Plugin 15.12 - Multiple Vulnerabilities
by Rahul Pratap Singh
Oracle Endeca Information Discovery Studio - Remote Code Execution via XStream Input Stream Manipulation
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
by Brian D. Hysell
CVSS 9.8
Confluence < 5.8.16 - Cross-Site Scripting via PATH_INFO to rest/prototype/1/session/check
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
by Sebastian Perez
CVSS 6.1
Atlassian Confluence <5.8.17 - Info Disclosure
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
by Sebastian Perez
CVSS 4.3
Online Airline Booking System - Multiple Vulnerabilities
by Manish Tanwar
pdfium IsFlagSet (v8 memory management) - SIGSEGV
by Google Security Research
Google Chrome < 46.0.2490.86 - Denial of Service
Multiple unspecified vulnerabilities in Google Chrome before 47.0.2526.73 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
by Google Security Research
By Source