Exploitdb Exploits
31,341 exploits tracked across all sources.
Cyclos < 4.14.7 - XSS
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.
by Tin Pham
CVSS 6.1
SAP Businessobjects Business Intelligence Platform - Denial of Service
When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS.
by West Shepherd
CVSS 8.1
Telesquare Tlr-2005ksh Firmware - IDOR
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.
by Ahmed Alroky
CVSS 9.8
DLink DIR850 ET850-1.08TRb03 - Open Redirect
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through URL redirection to untrusted site.
by Ahmed Alroky
CVSS 6.1
DLink DIR850 ET850-1.08TRb03 - Info Disclosure
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through an unauthenticated remote configuration download.
by Ahmed Alroky
CVSS 7.5
D-Link DAP-1620 - Path Traversal
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
by Momen Eldawakhly
CVSS 7.5
Bookeen Notea Firmware BK_R_1.0.5_20210608 - Path Traversal
Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.
by Clement MAILLIOUX
CVSS 4.6
Gitlab < 14.7.7 - XSS
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.
by Greenwolf
CVSS 8.7
Gitlab < 14.7.7 - Hard-coded Credentials
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
by Greenwolf
CVSS 9.1
PTPublisher 2.3.4 - Code Injection
PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access.
by bios
CVSS 7.8
EaseUS Data Recovery <15.1.0.0 - Code Injection
EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges.
by bios
CVSS 8.4
Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
by Antonio Cuomo
Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
by Antonio Cuomo
WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
by UnD3sc0n0c1d0
Code-atlantic Popup Maker < 1.16.5 - XSS
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
by Roel van Beurden
CVSS 4.8
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
by Mohsen Dehghani
Vanderbilt Redcap < 11.4.0 - XSS
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
by Kendrick Lam
CVSS 9.0
PKP Open Journals System >=2.4.8 - XSS
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.
by Hemant Kashyap
CVSS 6.1
Zyxel NWA-1100-NH - Command Injection
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
by Ahmed Alroky
CVSS 9.8
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
by LiquidWorm
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
by LiquidWorm
MiniTool Partition Wizard v12.0 - Privilege Escalation
MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
by Saud Alenazi
CVSS 7.8
By Source