Text Exploits
31,386 exploits tracked across all sources.
WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
by Murat DEMİRCİ
WordPress Plugin Filterable Portfolio Gallery 1.0 Stored XSS
Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page.
by Murat DEMİRCİ
CVSS 6.4
Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated
Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information.
by blockomat2100
CVSS 8.2
Sourcecodester Engineers Online Portal - SQL Injection via Quiz Question ID Parameter
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
by Alon Leviev
CVSS 8.8
Engineers Online Portal - SQL Injection via Login Form
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
by Alon Leviev
CVSS 9.8
Engineers Online Portal - Stored Cross-Site Scripting via Quiz Title and Description Parameters
A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
by Alon Leviev
CVSS 5.4
Sourcecodester Online Event Booking and Reservation System - Stored Cross-Site Scripting via Holiday Reason Parameter
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
by Alon Leviev
CVSS 5.4
Build Smart ERP 21.0817 - SQL Injection
Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information.
by Nehru Sethuraman
CVSS 8.2
OpenClinic GA 5.194.18 - Authenticated Insecure Permissions and Unquoted Service Path
OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.
by Alessandro Salzano
CVSS 7.8
Gestionale Open 11.00.00 - Insecure Permissions Leading to Privilege Escalation via mysqld.exe Replacement
An Insecure Permissions issue exists in Gestionale Open 11.00.00. A low privilege account is able to rename the mysqld.exe file located in bin folder and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.
by Alessandro Salzano
CVSS 7.8
TaxoPress < 3.0.7.2 - Authenticated Stored Cross-Site Scripting in Taxonomy Description Field
The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue.
by Akash Patil
CVSS 4.8
WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
by Akash Patil
WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)
by Akash Patil
Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
by SadKris
Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
by Sam Ferguson
Eclipse Jetty - Information Disclosure
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
by Mayank Deshmukh
CVSS 5.3
Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
by z4nd3r
Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
by Ghuliev
Macro Expert 4.7 - Privilege Escalation
Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup.
by Mert Daş
CVSS 7.8
Dolibarr ERP/CRM 14.0.2 - Stored Cross-Site Scripting in Ticket Creation Module
Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
by Oscar Gil Gutierrez
CVSS 5.4
SonicWall SMA 200/210/400/410/500v < 9.0.0.10-28sv - Unauthenticated Arbitrary File Deletion via Path Traversal Bypass
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
by Jacob Baines
CVSS 9.1
Enfold < 4.8.4 - Reflected Cross-Site Scripting via Avia Page Builder
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
by David Álvarez Robles
CVSS 6.1
myfactory FMS < 7.1-912 - Cross-Site Scripting via Error Parameter
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
by RedTeam Pentesting GmbH
CVSS 6.1
Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)
by John Jefferson Li
By Source