Exploitdb Exploits
31,346 exploits tracked across all sources.
Typesetter CMS <5.1 - XSS
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.
by Alperen Ergel
CVSS 4.8
Get-simple Getsimple Cms - XSS
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
by Roel van Beurden
CVSS 5.4
Cmsmadesimple Cms Made Simple - XSS
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
by Roel van Beurden
CVSS 5.4
SpinetiX Fusion Digital Signage 3.4.8 - Info Disclosure
SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses.
by LiquidWorm
CVSS 5.3
SpinetiX Fusion Digital Signage <3.4.8 - Info Disclosure
SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. Attackers can access the /content/files/backups/ endpoint to download sensitive backup files containing user credentials and system information.
by LiquidWorm
CVSS 7.5
SpinetiX Fusion Digital Signage 3.4.8 - CSRF
SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full system privileges when a logged-in user visits the page.
by LiquidWorm
CVSS 8.8
BrightSign Digital Signage Diagnostic Web Server <8.2.26 - SSRF
BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts.
by LiquidWorm
SpinetiX Fusion Digital Signage <3.4.8 - Path Traversal
SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests.
by LiquidWorm
CVSS 8.1
Websitebaker - SQL Injection
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
by Roel van Beurden
CVSS 9.8
Monocms - Path Traversal
MonoCMS Blog 1.0 is affected by: Arbitrary File Deletion. Any authenticated user can delete files on and off the webserver (php files can be unlinked and not deleted).
by Shahrukh Iqbal Mirza
CVSS 8.1
Joplin < 1.0.245 - XSS
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
by Ademar Nowasky Junior
CVSS 6.1
BigTree CMS <4.4.10 - Command Injection
A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.
by SunCSR
CVSS 8.8
BigTree CMS <4.4.10 - XSS
A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update.
by SunCSR
CVSS 5.4
BigTree CMS <4.4.10 - SQL Injection
A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.
by SunCSR
CVSS 8.8
Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)
by Sinem Şahin
B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
by LiquidWorm
B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure
by LiquidWorm
Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)
by Aporlorxl23
Online Food Ordering System 1.0 - Remote Code Execution
by Eren Şimşek
Flatpress - XSS
FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.
by Alperen Ergel
CVSS 4.8
ForensiT AppX Management Service 2.2.0.4 - Privilege Escalation
ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
by Burhanettin Ozgenc
CVSS 7.8
Blackcat-cms Blackcat Cms < 1.4 - CSRF
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
by Noth
CVSS 8.8
Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software
by hyp3rlinx
By Source