Text Exploits
31,386 exploits tracked across all sources.
Rich Text Editor < 6.6 - Path Traversal and Arbitrary File Write via ServerMapPath Function
CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory.
by Stefan Hesselman
CVSS 7.5
Duplicator < 1.4.7.1 - Information Disclosure
The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site.
by SecuriTrust
CVSS 5.3
Duplicator <1.4.7 - Info Disclosure
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
by SecuriTrust
CVSS 7.5
Wavlink WN533A8 M33A8.V5030.190716 - Info Disclosure
An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);].
by Ahmed Alroky
CVSS 7.5
Wavlink WN533A8 M33A8.V5030.190716 - XSS
Wavlink WN533A8 M33A8.V5030.190716 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login_page parameter.
by Ahmed Alroky
CVSS 6.1
Wavlink WN530HG4 M30HG4.V5030.191116 - Info Disclosure
An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].
by Ahmed Alroky
CVSS 7.5
GeoNetwork 3.10-4.2.0 - XML External Entity Injection via PDF Rendering
Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.
by Amel BOUZIANE-LEBLOND
CVSS 6.5
WP-UserOnline <= 2.87.6 - Authenticated Stored Cross-Site Scripting via browsingpage text Parameter
The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage][text]' parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative capabilities and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The only affects multi-site installations and installations where unfiltered_html is disabled.
by Steffin Stanly
CVSS 5.5
ASUSTeK Aura Ready Game SDK <1.0.0.4 - Privilege Escalation
There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\ASUS\GameSDK.exe file.
by Angelo Pio Amirante
CVSS 7.8
Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal
by LiquidWorm
WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi
by nu11secur1ty
Kite 4.2.0.1 U1 Unquoted Service Path Privilege Escalation
Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts.
by Ghaleb Al-otaibi
CVSS 7.8
Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path
by Esant1490
Magnolia CMS 6.2.19 - Stored Cross-Site Scripting via Edit Contact Function
Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by Giulio Garzia Ozozuz
CVSS 6.1
Mailhog 1.0.1 - Stored Cross-Site Scripting via Email Attachment
Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation.
by Vulnz
CVSS 7.2
Virtua Cobranca < 12r - SQL Injection via Login Page
Virtua Cobranca before 12R allows SQL Injection on the login page.
by Luca Regne
CVSS 7.5
Marval MSM v14.19.0.12476 - OS Command Injection via VBScript Handling
Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.
by Momen Eldawakhly
CVSS 9.8
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery via 2FA Disable Form
Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF). An attacker can disable the 2FA by sending the user a malicious form.
by Momen Eldawakhly
CVSS 6.5
Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
by Eduardo Braun Prado
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
by Eduardo Braun Prado
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
by Ali Alipour
Old Age Home Management System 1.0 - SQLi Authentication Bypass
by twseptian
ChurchCRM 4.4.5 - SQL Injection via PersonID Parameter
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
by nu11secur1ty
CVSS 7.2
Avantune Genialcloud ProJ <10 - XSS
A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by Andrea Intilangelo
CVSS 6.1
By Source