Text Exploits
31,341 exploits tracked across all sources.
myVesta Control Panel <0.9.8-26-43 - Command Injection
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.
by numan türle
CVSS 7.2
Plone - XSS
A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.
by Piyush Patil
CVSS 5.4
Brother BRAdmin Professional 3.75 - Local Privilege Escalation
Brother BRAdmin Professional 3.75 contains an unquoted service path vulnerability in the BRA_Scheduler service that allows local users to potentially execute arbitrary code. Attackers can place a malicious executable named 'BRAdmin' in the C:\Program Files (x86)\Brother\ directory to gain local system privileges.
by Metin Yunus Kandemir
CVSS 7.8
Dolphin CMS 7.4.2 - XSS
Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter.
by Piyush Patil
CVSS 4.8
Soyal Technologies SOYAL 701Server 9.0.1 - Privilege Escalation
Soyal Technologies SOYAL 701Server 9.0.1 suffers from an elevation of privileges vulnerability which can be used by an authenticated user to change the executable file with a binary choice. The vulnerability is due to improper permissions with the 'F' flag (Full) for 'Everyone'and 'Authenticated Users' group.
by LiquidWorm
CVSS 8.8
Soyal Technology 701Client <9.0.1 - Privilege Escalation
Soyal Technology 701Client 9.0.1 is vulnerable to Insecure permissions via client.exe binary with Authenticated Users group with Full permissions.
by LiquidWorm
CVSS 8.8
Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path
by Riadh Bouchahoua
Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting
by Richard Jones
Livezilla < 8.0.1.1 - XSS
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.
by Clément Cruchet
CVSS 6.1
SOYAL Biometric Access Control System 5.0 - Master Code Disclosure
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
by LiquidWorm
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
by LiquidWorm
VFS for Git 1.0.21014.1 - Privilege Escalation
VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot.
by Mohammed Alshehri
CVSS 7.8
VestaCP <0.9.8-25 - XSS
VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload.
by numan türle
CVSS 7.2
SEO Panel <4.9.0 - SQL Injection
SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter.
by Piyush Patil
CVSS 7.1
Hestia Control Panel 1.3.2 - File Write
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.
by numan türle
CVSS 8.8
rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)
by Murat ŞEKER
Wowonder < 3.1 - SQL Injection
In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter.
by securityforeveryone.com
CVSS 7.5
MagpieRSS 0.72 - Command Injection
Because of a incorrect escaped exec command in MagpieRSS in 0.72 in the /extlib/Snoopy.class.inc file, it is possible to add a extra command to the curl binary. This creates an issue on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page that if you send a specific https url in the RSS URL field, you are able to execute arbitrary commands.
by bl4ckh4ck5
CVSS 9.8
By Source