Inthewild Exploits

518 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-35844 INTHEWILD HIGH
Lightdash < 0.510.3 - Path Traversal
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
CVSS 7.5
CVE-2023-33829 INTHEWILD MEDIUM
Cloudogu GmbH SCM Manager <1.60 - XSS
A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field.
CVSS 5.4
CVE-2023-33829 INTHEWILD MEDIUM
Cloudogu GmbH SCM Manager <1.60 - XSS
A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field.
CVSS 5.4
CVE-2023-32235 INTHEWILD HIGH
Ghost < 5.42.1 - Path Traversal
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
CVSS 7.5
CVE-2023-31753 INTHEWILD CRITICAL
eNdonesia 8.7 - SQL Injection
SQL injection vulnerability in diskusi.php in eNdonesia 8.7, allows an attacker to execute arbitrary SQL commands via the "rid=" parameter.
CVSS 9.8
CVE-2023-31606 INTHEWILD HIGH
redcloth gem <4.0.0 - DoS
A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVSS 7.5
CVE-2023-29923 INTHEWILD MEDIUM
Powerjob - Incorrect Default Permissions
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
CVSS 5.3
CVE-2023-29923 INTHEWILD MEDIUM
Powerjob - Incorrect Default Permissions
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
CVSS 5.3
CVE-2023-28771 INTHEWILD CRITICAL
Zyxel ZyWALL/USG <4.73 - RCE
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVSS 9.8
CVE-2023-28771 INTHEWILD CRITICAL
Zyxel ZyWALL/USG <4.73 - RCE
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVSS 9.8
CVE-2023-28231 INTHEWILD HIGH
Microsoft Windows Server 2008 - Heap Buffer Overflow
DHCP Server Service Remote Code Execution Vulnerability
CVSS 8.8
CVE-2023-27842 INTHEWILD HIGH
eXtplorer <2.1.15 - RCE
Insecure Permissions vulnerability found in Extplorer File manager eXtplorer v.2.1.15 allows a remote attacker to execute arbitrary code via the index.php compenent
CVSS 8.8
CVE-2023-27587 INTHEWILD HIGH
Readtomyshoe < 2023-03-13 - Error Information Exposure
ReadtoMyShoe, a web app that lets users upload articles and listen to them later, generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key. This has been patched in commit 8533b01. Upgrading should be accompanied by deleting the current GCP API key and issuing a new one. There are no known workarounds.
CVSS 7.4
CVE-2023-2732 INTHEWILD CRITICAL
Inspireui Mstore API < 3.9.2 - Authentication Bypass
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
CVSS 9.8
CVE-2023-26692 INTHEWILD MEDIUM
ZCBS/ZPBS/ZBBS 4.14k - XSS
ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).
CVSS 6.1
CVE-2023-26256 INTHEWILD HIGH
STAGIL Navigation for Jira <2.0.52 - Path Traversal
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.
CVSS 7.5
CVE-2023-23638 INTHEWILD MEDIUM
Apache Dubbo < 2.7.21 - Insecure Deserialization
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
CVSS 5.0
CVE-2022-4944 INTHEWILD MEDIUM
Kodcloud Kodexplorer < 4.49 - CSRF
A vulnerability, which was classified as problematic, has been found in kalcaddle KodExplorer up to 4.49. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.50 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-227000.
CVSS 4.3
CVE-2022-48150 INTHEWILD MEDIUM
Shopware - XSS
Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
CVSS 6.1
CVE-2022-46485 INTHEWILD HIGH
Data Illusion Survey Software Solutions ngSurvey <2.4.28 - DoS
Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and below is vulnerable to Denial of Service if a survey contains a "Text Field", "Comment Field" or "Contact Details".
CVSS 7.5
CVE-2022-46080 INTHEWILD CRITICAL
Nexxt Nebula 1200-AC <15.03.06.60 - Auth Bypass, Command Injection
Nexxt Nebula 1200-AC 15.03.06.60 allows authentication bypass and command execution by using the HTTPD service to enable TELNET.
CVSS 9.8
CVE-2022-45701 INTHEWILD HIGH
Commscope Arris Tg2482a Firmware < 9.1.103 - Command Injection
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.
CVSS 8.8
CVE-2022-44149 INTHEWILD HIGH
Nexxt Amp300 ARN02304U8 - RCE
The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON host field to the ping feature of the goform/sysTools component. Authentication is required
CVSS 8.8
CVE-2022-3590 INTHEWILD MEDIUM
WordPress - Blind SSRF
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVSS 5.9
CVE-2022-3552 INTHEWILD HIGH
Boxbilling < 0.0.1 - Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type in GitHub repository boxbilling/boxbilling prior to 0.0.1.
CVSS 7.2
By Source
All 518 Exploitdb 50,123 Writeup 46,586 Nomisec 21,111 Metasploit 3,189 Github 2,219 Vulncheck_xdb 900 Inthewild 518 Gitlab 438 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,725 c 3,550 perl 2,854 html 2,054 php 1,334 bash 459 java 359 javascript 256 c++ 245 shell 67 go 41 postscript 25 xml 24