Text Exploits
31,386 exploits tracked across all sources.
Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting
by Shivam Verma
Newgen eGov <12.0 - Info Disclosure
In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users' profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference.
by ALI AL SINAN
CVSS 7.5
ipeak Infosystems ibexwebCMS <3.5 - SQL Injection
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
by MoeAlBarbari
CVSS 9.8
WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code
WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.
by Park Won Seok
CVSS 6.4
WordPress Plugin WP-Paginate 2.1.3 Stored XSS via preset
WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Attackers can submit POST requests to the plugin settings page with script payloads in the preset parameter that are stored and executed when administrators view the settings.
by Park Won Seok
CVSS 6.4
Baby Care System 1.0 - Stored Cross-Site Scripting via Post Title Parameter
Baby Care System 1.0 is affected by a cross-site scripting (XSS) vulnerability in the Edit Page tab through the Post title parameter.
by Hardik Solanki
CVSS 5.4
SourceCodester Responsive E-Learning System 1.0 - SQL Injection via id Parameter
SQL Injection vulnerability in SourceCodester Responsive E-Learning System 1.0 allows remote attackers to inject sql query in /elearning/delete_teacher_students.php?id= parameter via id field.
by Kshitiz Raj
CVSS 9.8
Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path
by Geovanni Ruiz
td-agent-builder < 2020-12-18 - Privilege Escalation via Writable bin Directory
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.
by Adrian Bondocea
CVSS 7.0
Resumes Management and Job Application Website 1.0 - Authentication Bypass
by Kshitiz Raj
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting
by Mesut Cetin
Click2Magic 1.1.5 - Stored Cross-Site Scripting via Chat Name Input
Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests.
by Shivam Verma
CVSS 6.4
MiniTool ShadowMaker 3.2 - Local Privilege Escalation
MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges.
by Thalia Nieto
CVSS 7.8
Knockpy 4.1.1 - CSV Injection via Server Header Manipulation
Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.
by Dolev Farhi
CVSS 9.8
4images 1.7.11 - Stored Cross-Site Scripting via Image URL
4images Image Gallery Management System 1.7.11 is affected by cross-site scripting (XSS) in the Image URL. This vulnerability can result in an attacker to inject the XSS payload into the IMAGE URL. Each time a user visits that URL, the XSS triggers and the attacker can be able to steal the cookie according to the crafted payload.
by Ritesh Gohil
CVSS 4.8
WordPress < 5.2.3 - Authenticated Cross-Site Scripting in Post Preview
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
by gx1
CVSS 5.4
Subrion CMS 4.2.1 - Cross-Site Scripting via Avatar Path Parameter
Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI.
by icekam
CVSS 6.1
ACS Advanced Comment System 1.0 - Path Traversal via ACS_path Parameter
ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI. NOTE: this might be the same as CVE-2009-4623
by Francisco Javier Santiago Vázquez
CVSS 7.5
WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting
by Park Won Seok
WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload
by spacehen
Apartment Visitors Management System 1.0 - Authentication Bypass
by Kshitiz Raj
By Source