Text Exploits
31,394 exploits tracked across all sources.
Polycom RealPresence Resource Manager < 8.3.2 - Session ID Info Disclosure & Privilege Escalation
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
by SEC Consult
CVSS 9.8
Polycom RealPresence Resource Manager < 8.3.2 - Authenticated Installation Path Exposure via JConfigManager
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows remote authenticated users to obtain the installation path via an HTTP POST request to PlcmRmWeb/JConfigManager.
by SEC Consult
CVSS 6.5
Polycom RealPresence Resource Manager < 8.3.2 - Unspecified Impact via Weak Passwords
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords.
by SEC Consult
CVSS 7.8
Watchguard XCS <10.0 - SQL Injection
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to borderpost/imp/compose.php3.
by Security-Assessment.com
Novius OS 5.0.1 - Open Redirect via Login Redirect Parameter
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
by hyp3rlinx
Fiyo CMS 2.0_1.9.1 - SQL Injection via id Parameter or user Parameter
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
by cfreer
CVSS 9.8
CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion
by otr
Polycom RealPresence Resource Manager < 8.3.2 - Privilege Escalation via Sudo Misconfiguration
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users with access to the plcm account to gain privileges via a script in /var/polycom/cma/upgrade/scripts, related to a sudo misconfiguration.
by SEC Consult
CVSS 7.0
c2box < 4.0.0 - Cross-Site Request Forgery in UserManagement.aspx
Cross-site request forgery (CSRF) vulnerability in SecuritySetting/UserSecurity/UserManagement.aspx in B.A.S C2Box before 4.0.0 (r19171) allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via certain vectors.
by Wissam Bashour
XOOPS <= 2.0.11 - Cross-Site Scripting via Order or CID Parameter
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php.
by GulfTech Security
dedecms < 5.7-sp1 - Unrestricted File Upload
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
by zise
CVSS 8.8
Endian Firewall < 2.5.1 - Remote Command Execution via Password Change Parameters
Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.
by Ben Lincoln
Koha 3.14.00-3.14.15 - Cross-Site Request Forgery via Member Entry or Flag Endpoints
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 8.0
ManageEngine AssetExplorer 6.1 - Cross-Site Scripting via Publisher Registry Entry
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.
by Suraj Krishnaswami
Koha 3.14.00-3.14.15 - SQL Injection via OPAC Tags Subject Parameter
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 9.8
Koha 3.14.00-3.14.15 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 5.4
Koha 3.14.00-3.14.15 - Path Traversal via Template Path Parameter
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 7.5
Thycotic Secret Server <8.8.000005 - XSS
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the password mask.
by Marco Delai
WordPress Plugin Huge-IT Slider 2.7.5 - Multiple Vulnerabilities
by i0akiN SEC-LABORATORY
Vesta Control Panel < 0.9.8-14 - Authenticated Remote Code Execution via Backup Parameter
Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php.
by High-Tech Bridge SA
CVSS 8.8
Joomla! Component com_simpleimageupload - Arbitrary File Upload
by CrashBandicot
GeniXCMS 0.0.3 - Cross-Site Scripting via Posts Page Parameters
Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix GeniXCMS 0.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) content or (2) title field in an add action in the posts page to index.php or the (3) q parameter in the posts page to index.php.
by hyp3rlinx
MetalGenix GeniXCMS <0.0.3-patch - SQL Injection
Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.
by cfreer
CVSS 9.8
Adobe Photoshop CC <16.0 - Memory Corruption
Adobe Photoshop CC before 16.0 (aka 2015.0.0) and Adobe Bridge CC before 6.11 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
by Francis Provencher
By Source