Text Exploits
31,386 exploits tracked across all sources.
WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)
by Swapnil Subhash Bodekar
Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Subhadip Nag
Apache Tomcat 7.0.23-7.0.90, 8.5.0-8.5.33, 9.0.0.M1-9.0.11 - Open Redirect via Default Servlet
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
by Central InfoSec
CVSS 4.3
Apache Tomcat 7.0.0-7.0.93 and 8.5.0-8.5.39 and 9.0.0.M1-9.0.0.17 - Cross-Site Scripting via SSI printenv Command
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
by Central InfoSec
CVSS 6.1
Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)
by Subhadip Nag
Wyomind Help Desk Magento 2 <1.3.7 - Path Traversal
Directory Traversal vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via the file attachment directory setting.
by Patrik Lantz
CVSS 9.8
Wyomind Help Desk Magento 2 <1.3.7 - RCE
An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field.
by Patrik Lantz
CVSS 9.8
Wyomind Help Desk Magento 2 <1.3.7 - XSS
Cross Site Scripting Vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before and fixed in v.1.3.7 allows attackers to escalte privileges via a crafted payload in the ticket message field.
by Patrik Lantz
CVSS 9.0
Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)
by Subhadip Nag
Online Covid Vaccination Scheduler System 1.0 - SQL Injection via Username Parameter
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as Administrator.
by faisalfs10x
CVSS 8.1
perfex_crm 1.10 - Cross-Site Scripting via /clients/profile
perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.
by Alhasan Abbas
CVSS 5.4
Phone Shop Sales Management System 1.0 - SQL Injection
Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
by faisalfs10x
CVSS 9.8
Sourcecodester Phone Shop Sales Management System 1.0 - RCE
Arbitrary File Upload in Sourcecodester Phone Shop Sales Management System 1.0 enables RCE.
by faisalfs10x
CVSS 9.8
Visual Tools DVR VX16 <4.2.28 - Privilege Escalation
Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges.
by Andrea D\'Ubaldo
CVSS 6.2
Visual Tools DVR VX16 4.2.28.0 - Unauthenticated Remote Command Execution via User-Agent Header
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.
by Andrea D\'Ubaldo
CVSS 9.8
WordPress Plugin WP Learn Manager 1.1.2 Stored XSS
WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the `fieldtitle` parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface.
by Mohammed Adam
CVSS 7.2
Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Subhadip Nag
Church Management System 1.0 - Arbitrary File Upload (Authenticated)
by Murat DEMİRCİ
Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)
by Murat DEMİRCİ
Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Murat DEMİRCİ
b2evolution 7.2.2 - Cross-Site Request Forgery in Admin Account Details
b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage.
by Alperen Ergel
CVSS 5.3
WinWaste.NET 1.0.6183.16475 - Unauthenticated Local Privilege Escalation via Executable Replacement
WinWaste.NET version 1.0.6183.16475 has incorrect permissions, allowing a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
by Andrea Intilangelo
CVSS 7.8
Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)
by ircashem
scratch-svg-renderer < 0.2.0-prerelease.20201019174008 - Cross-Site Scripting via SVG Injection in loadString
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
by Stig Magnus Baugstø
CVSS 9.6
AKCP sensorProbe <SP480-20210624 - XSS
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
by Tyler Butler
CVSS 5.4
By Source