Exploitdb Exploits
31,341 exploits tracked across all sources.
Gestioip - XSS
The ip_do_job request in GestioIP v3.5.7 is vulnerable to Cross-Site Scripting (XSS). It allows data exfiltration and enables CSRF attacks. The vulnerability requires specific user permissions within the application to exploit successfully.
by Maximiliano Belino
CVSS 4.8
Gestioip - CSRF
Multiple endpoints in GestioIP v3.5.7 are vulnerable to Cross-Site Request Forgery (CSRF). An attacker can execute actions via the admin's browser by hosting a malicious URL, leading to data modification, deletion, or exfiltration.
by Maximiliano Belino
CVSS 8.8
Roundcube Webmail < 1.5.7 - XSS
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
by AmirZargham
CVSS 6.1
Rosariosis < 7.6.1 - SQL Injection
An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.
by CodeSecLab
CVSS 9.8
phpipam <1.6 - XSS
phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php.
by CodeSecLab
CVSS 6.1
Anirbandutta9 News-buzz - SQL Injection
A vulnerability, which was classified as critical, was found in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This affects an unknown part of the file /index.php. The manipulation of the argument user_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.
by egsec
CVSS 7.3
MiniCMS 1.1 - XSS
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection.
by CodeSecLab
CVSS 6.1
LearnPress - WordPress LMS Plugin <4.2.7 - SQL Injection
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
by Francisco Moraga (BTshell)
CVSS 10.0
Gnuboard5 <=5.3.2.8 - SQL Injection
SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php.
by CodeSecLab
CVSS 9.8
Get-simple Getsimplecms < 3.3.15 - Unrestricted File Upload
Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.
by CodeSecLab
CVSS 7.2
flatCore <1.5 - CSRF
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
by CodeSecLab
CVSS 8.8
WebFileSys <2.31.0 - Path Traversal
An issue in the relPath parameter of WebFileSys version 2.31.0 allows attackers to perform directory traversal via a crafted HTTP request. By injecting traversal payloads into the parameter, attackers can manipulate file paths and gain unauthorized access to sensitive files, potentially exposing data outside the intended directory.
by Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee
CVSS 5.3
Magnussolution Magnusbilling < 7.3.0 - Command Injection
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
by CodeSecLab
CVSS 9.8
Geovision GV-ASWeb <=6.1.1.0 - CSRF
A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.
by Giorgi Dograshvili
CVSS 8.8
Geovision GV-ASWeb <6.1.0.0 - Privilege Escalation
Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.
by Giorgi Dograshvili
CVSS 8.8
Netman 204 - Remote command without authentication
by Parsa Rezaie Khiabanloo
FLXEON <= 9.3.4 - Info Disclosure
Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.
by LiquidWorm
CVSS 9.4
FLEXON <9.3.4 - Info Disclosure
Insertion of Sensitive Information into Log File vulnerability observed in FLEXON. Some information may be improperly disclosed through https access.
This issue affects FLXEON through <= 9.3.4.
by LiquidWorm
CVSS 9.4
FLXEON <9.3.4 - Privilege Escalation
Network access can be used to execute arbitrary code with elevated privileges.
This
issue affects FLXEON 9.3.4 and older.
by LiquidWorm
CVSS 10.0
FLXEON <9.3.4 - Privilege Escalation
Network access can be used to execute arbitrary code with elevated privileges.
This
issue affects FLXEON 9.3.4 and older.
by LiquidWorm
CVSS 10.0
Flatcore - Unrestricted File Upload
An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature.
by CodeSecLab
CVSS 7.2
By Source