Exploitdb Exploits
31,341 exploits tracked across all sources.
Digital Crime Report Management System 1.0 - SQL Injection
Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints.
by GaluhID
CVSS 8.2
jQuery <3.5.0 - XSS
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
by Central InfoSec
CVSS 6.9
jQuery <3.5.0 - XSS
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
by Central InfoSec
CVSS 6.9
MariaDB <10.2.37, 10.3.28, 10.4.18, 10.5.9 - RCE
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
by Central InfoSec
CVSS 7.2
CITSmart <9.1.2.28 - Info Disclosure
CITSmart before 9.1.2.28 mishandles the "filtro de autocomplete."
by skysbsb
CVSS 8.8
Citsmart < 9.1.2.23 - Injection
CITSmart before 9.1.2.23 allows LDAP Injection.
by skysbsb
CVSS 9.8
Genexis Platinum 4410 Firmware - OS Command Injection
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.
by Jay Sharma
CVSS 9.8
Blitar Tourism 1.0 - Auth Bypass
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access.
by sigeri94
CVSS 8.2
Simple Student Information System 1.0 - SQL Injection (Authentication Bypass)
by GaluhID
ExpressVPN Router < - Info Disclosure
An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.
by Jai Kumar Sharma
CVSS 7.5
Cmsimple - XSS
CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.
by Quadron Research Lab
CVSS 6.1
Composr 10.0.36 - Code Injection
Composr 10.0.36 allows upload and execution of PHP files.
by Orion Hridoy
CVSS 9.8
Composr 10.0.36 - XSS
Composr 10.0.36 allows XSS in an XML script.
by Orion Hridoy
CVSS 6.1
Atlassian Jira Service Desk < 4.10.0 - XSS
The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.
by Captain_hook
CVSS 4.8
Yodinfo Mini Mouse - Path Traversal
Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in API requests.
by gosh
CVSS 6.2
Simple Food Website - SQL Injection
A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become Admin.
by Viren Saroha
CVSS 9.8
Basic Shopping Cart - SQL Injection
A SQL Injection vulnerability in Sourcecodester Basic Shopping Cart 1.0 allows a remote attacker to Bypass Authentication and become Admin.
by Viren Saroha
CVSS 9.8
Rockstar Games Launcher <1.0.37.349 - Privilege Escalation
Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access.
by George Tsimpidas
CVSS 8.8
Yodinfo Mini Mouse - Path Traversal
Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directories such as C:\Users\Public by manipulating file and path parameters.
by gosh
CVSS 7.5
ZBL EPON ONU Broadband Router V100R001 - Privilege Escalation
ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities.
by LiquidWorm
CVSS 7.5
phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)
by Valerio Severini
Openlitespeed 1.7.9 - XSS
Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon.
by cmOs
CVSS 7.2
By Source