Exploitdb Exploits
50,135 exploits tracked across all sources.
Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass
by able403
Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
by able403
Grafana Plugin Path Traversal
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
by s1gh
CVSS 7.5
Raspberry Pi OS <5.10 - Privilege Escalation
Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.
by netspooky
CVSS 9.8
Croogo - Unrestricted File Upload
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
by Deha Berkin Bir
CVSS 8.8
Auerswald COMpact 8.0B - Privilege Escalation
by RedTeam Pentesting GmbH
Auerswald COMpact 5500R <8.0B - RCE
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.
by RedTeam Pentesting GmbH
CVSS 9.8
Auerswald COMpact 8.0B - Arbitrary File Disclosure
by RedTeam Pentesting GmbH
Auerswald COMfortel 2.8F - Authentication Bypass
by RedTeam Pentesting GmbH
WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)
by Abdurrahman Erkan
Digitalzoomstudio Zoomsounds < 6.45 - Path Traversal
The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.
by Uriel Yochpaz
CVSS 7.5
WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
by Mohamed Magdy Abumusilm
Online Pre-owned/used Car Showroom Management System - SQL Injection
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.
by Mohamed habib Smidi
CVSS 9.8
Oretnom23 Online Magazine Management System - SQL Injection
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.
by Mohamed habib Smidi
CVSS 9.8
MilleGPG5 5.7.2 - Privilege Escalation
MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts.
by Alessandro Salzano
CVSS 7.8
Sourcecodester Online Enrollment Management System - XSS
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 in the Add-Users page via the Name parameter.
by Tushar Jadhav
CVSS 5.4
Codeigniter4 Framework - XSS
A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class.
by Pablo Santiago
CVSS 6.1
Orangescrum - IDOR
Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.
by Hubert Wojciechowski
CVSS 8.8
Orangescrum - SQL Injection
Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.
by Hubert Wojciechowski
CVSS 7.1
Orangescrum - XSS
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
by Hubert Wojciechowski
CVSS 5.4
Bagisto 1.3.3 - Client-Side Template Injection
by Mohamed Abdellatif Jaber
HTTPDebuggerPro 9.11 - Code Injection
HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.
by Aryan Chehreghani
CVSS 7.8
Cmsimple - Remote File Inclusion
CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.
by S1lv3r
CVSS 7.8
By Source