Text Exploits
31,343 exploits tracked across all sources.
Zstore 6.5.4 - XSS
Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.
by nu11secur1ty
CVSS 6.1
Clevo HotKey Clipboard 2.1.0.6 - Code Injection
Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing malicious executables in specific file system locations.
by Wim Jaap van Vliet
CVSS 8.4
Windows Backup Service - Privilege Escalation
Windows Backup Service Elevation of Privilege Vulnerability
by nu11secur1ty
CVSS 7.1
Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path
by Milad karimi
Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path
by Laguin Benjamin
Roxy-WI <6.1.1.0 - Command Injection
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.
by Nuri Çilengir
CVSS 10.0
Roxy-wi <6.1.1.0 - RCE
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
by Nuri Çilengir
CVSS 10.0
Roxy-wi <6.1.1.0 - Auth Bypass
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
by Nuri Çilengir
CVSS 10.0
pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute
by nu11secur1ty
Metform Elementor Contact Form Builder <3.1.2 - XSS
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.
by Mohammed Chemouri
CVSS 7.2
GLPI <10.0.2 - SQL Injection
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.
by Nuri Çilengir
CVSS 9.8
Plugin - Info Disclosure
### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used.
by Nuri Çilengir
CVSS 5.3
GLPI <3.0.3 - Info Disclosure
front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter.
by Nuri Çilengir
CVSS 6.5
Managentities <4.0.2 - Path Traversal
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.
by Nuri Çilengir
CVSS 7.5
The Cartography <6.0.1 - RCE
The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.
by Nuri Çilengir
CVSS 9.8
Phpgurukul Art Gallery Management System - SQL Injection
Art Gallery Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter.
by Rahul Patwari
CVSS 9.8
Phpgurukul Art Gallery Management System - SQL Injection
Art Gallery Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at product.php.
by Rahul Patwari
CVSS 9.8
Phpgurukul Art Gallery Management System - XSS
A reflected cross-site scripting (XSS) vulnerability in Art Gallery Management System Project v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the artname parameter under ART TYPE option in the navigation bar.
by Rahul Patwari
CVSS 6.1
Red-gate Sql Monitor - XSS
A Cross Site Scripting (XSS) vulnerability in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter.
by geeklinuxman
CVSS 6.1
Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)
by Sajibe Kanti
By Source