Exploitdb Exploits
50,135 exploits tracked across all sources.
Google Slo Generator < 2.0.1 - Code Injection
SLO generator allows for loading of YAML files that if crafted in a specific format can allow for code execution within the context of the SLO Generator. We recommend upgrading SLO Generator past https://github.com/google/slo-generator/pull/173
by Kiran Ghimire
CVSS 5.3
Odine Solutions GateKeeper 1.0 - SQL Injection
Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information.
by Emel Basayar
CVSS 8.2
Wordpress BulletProof Security Backup Disclosure
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
by Ron Jost
CVSS 5.3
Atlassian Jira Data Center < 8.5.14 - Path Traversal
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
by Mayank Deshmukh
CVSS 5.3
Apache 2.4.49/2.4.50 Traversal RCE
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
by Lucas Souza
CVSS 9.8
Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
by spacehen
Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload
by spacehen
Student Quarterly Grading System 1.0 - SQLi Authentication Bypass
by Blackhan
Atlassian Confluence Server <7.4.10, >7.5.0-7.12.2 - Info Disclosure
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
by Mayank Deshmukh
CVSS 5.3
Lodging Reservation Management System - SQL Injection
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
by Nitin Sharma
CVSS 9.8
Opengamepanel < 2021-08-14 - OS Command Injection
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. An authenticated attacker could inject OS commands by starting a Counter-Strike server and using the map field to enter a Bash command.
by prey
CVSS 8.8
Opengamepanel < 2021-08-14 - Cleartext Storage
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. $HOME/OGP/Cfg/Config.pm has the root password in cleartext.
by prey
CVSS 8.8
Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
by Jordan Glover
Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
by Jordan Glover
Payara Micro Community < 5.2021.6 - Path Traversal
Payara Micro Community 5.2021.6 and below allows Directory Traversal.
by Yasser Khan
CVSS 7.5
Dairy Farm Shop Management System v1.0 - SQL Injection
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.
by Sanjay Singh
CVSS 9.8
Directory Management System v1.0 - SQL Injection
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.
by Sanjay Singh
CVSS 9.8
Phpwcms - Unrestricted File Upload
Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform.
by Okan Kurtulus
CVSS 5.4
Cmsimple-xh Cmsimple XH - Code Injection
CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.
by Halit AKAYDIN
CVSS 7.2
Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Ghuliev
Exam Form Submission System 1.0 - SQL Injection Authentication Bypass
by Nitin Sharma
Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation
by Cristian \'void\' Giustini
Progress Whatsupgold < 21.1.0 - XSS
In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.
by Andreas Finstad
CVSS 6.1
Cyber Cafe Management System Project v1.0 - SQL Injection
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.
by Sanjay Singh
CVSS 9.8
By Source