Text Exploits
31,386 exploits tracked across all sources.
Victor CMS < 2019-02-28 - Cross-Site Scripting via Register User Firstname or Lastname Field
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
by Anushree Priyadarshini
CVSS 6.1
Reside Property Management 3.0 - 'profile' SQL Injection
by Behzad Khalifeh
Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
by Ethan Seow
KiteService 1.2020.618.0 - Unquoted Service Path
by Marcos Antonio León
mySCADA myPRO 7 - Use of Hard-coded Credentials in myscadagate.exe
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
by Emre ÖVÜNÇ
CVSS 9.1
Global RADAR BSA Radar <1.6.7234.24750 - XSS
The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting (XSS) via Update User Profile.
by William Summerhill
CVSS 5.4
Lansweeper <7.2.x - Command Injection
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features.
by Amel BOUZIANE-LEBLOND
CVSS 9.8
Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)
by BKpatron
Frigate 2.02 - Denial of Service via Oversized Command Line Input
Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. Attackers can generate a payload of 8000 repeated characters and paste it into the application's command line field to trigger an application crash.
by Paras Bhatia
CVSS 7.5
WebPort 1.19.1 - Cross-Site Scripting via Setup Type Parameter
Web Port 1.19.1 allows XSS via the /access/setup type parameter.
by Emre ÖVÜNÇ
CVSS 6.1
Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload
by BKpatron
WebPort 1.19.1 - Cross-Site Scripting via Log Type Parameter
Web Port 1.19.1 allows XSS via the /log type parameter.
by Emre ÖVÜNÇ
CVSS 6.1
FileRun 2019.05.21 - Cross-Site Scripting via Filename Upload Parameter
FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman§ion=do&page=up URI. This issue has been fixed in FileRun 2019.06.01.
by Emre ÖVÜNÇ
CVSS 6.1
Eaton Intelligent Power Manager 1.6 - Directory Traversal
by Emre ÖVÜNÇ
Beauty Parlour Management System 1.0 - Authentication Bypass
by Prof. Kailas PATIL
OpenCTI 3.3.1 - Reflected Cross-Site Scripting via GraphQL Endpoint
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.
by Raif Berkay Dincel
CVSS 5.4
OpenCTI 3.3.1 - Unauthenticated Directory Traversal via Static CSS Endpoint
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.
by Raif Berkay Dincel
CVSS 7.5
College Management System Php 1.0 - SQL Injection via Unfiltered POST Parameters
College Management System Php 1.0 suffers from SQL injection vulnerabilities in the index.php page from POST parameters 'unametxt' and 'pwdtxt', which are not filtered before passing a SQL query.
by BLAY ABU SAFIAN
CVSS 9.8
10-Strike Bandwidth Monitor 3.9 - Privilege Escalation
10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup.
by boku
CVSS 7.8
Sysax Multi Server 6.90 - Reflected Cross-Site Scripting via SCGI SID Parameter
An issue was discovered in Sysax Multi Server 6.90. There is reflected XSS via the /scgi sid parameter.
by Luca Epifanio
CVSS 6.1
By Source