Exploitdb Exploits
31,341 exploits tracked across all sources.
PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Eclipse Jetty < 9.4.43 - Information Disclosure
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
by Mayank Deshmukh
CVSS 5.3
Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHPGURUKUL Employee Record Management System 1.2 - SQL Injection
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
by Anubhav Singh
CVSS 9.8
Dynojet Power Core 2.3.0 - Code Injection
Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access.
by Pedro Sousa Rodrigues
CVSS 7.8
i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw
by LiquidWorm
Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)
by P4p4_M4n3
Umbraco Cms - SSRF
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.
by NgoAnhDuc
CVSS 5.3
Automatedlogic Webctrl < 6.5 - XSS
The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization.
by 3ndG4me
CVSS 6.1
WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
by Murat DEMİRCİ
WordPress Plugin Filterable Portfolio Gallery 1.0 - 'title' Stored Cross-Site Scripting (XSS)
by Murat DEMİRCİ
Engineers Online Portal - SQL Injection
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
by Alon Leviev
CVSS 8.8
Engineers Online Portal - SQL Injection
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
by Alon Leviev
CVSS 9.8
Engineers Online Portal - XSS
A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
by Alon Leviev
CVSS 5.4
Online Event Booking And Reservation System - XSS
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
by Alon Leviev
CVSS 5.4
Build Smart ERP 21.0817 - SQL Injection
Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information.
by Nehru Sethuraman
CVSS 8.2
Openclinic GA - Incorrect Permission Assignment
OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.
by Alessandro Salzano
CVSS 7.8
Gestionaleopen Gestionale Open - Incorrect Default Permissions
An Insecure Permissions issue exists in Gestionale Open 11.00.00. A low privilege account is able to rename the mysqld.exe file located in bin folder and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.
by Alessandro Salzano
CVSS 7.8
Taxopress < 3.0.7.2 - XSS
The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue.
by Akash Patil
CVSS 4.8
WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
by Akash Patil
WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)
by Akash Patil
Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
by SadKris
By Source