Exploitdb Exploits
50,135 exploits tracked across all sources.
WebSSH for iOS <14.16.10 - DoS
WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash.
by Luis Martínez
CVSS 7.5
Visual Studio Code 1.47.1 - Denial of Service (PoC)
by H.H.A.Ravindu Priyankara
Trumani Stop Spammers < 2021.9 - XSS
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
by Hosein Vita
CVSS 6.1
ManageEngine ADSelfService Plus 6.1 - CSV Injection
by Metin Yunus Kandemir
In4Suite ERP <3.2.74.1370 - SQL Injection
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
by Gulab Mondal
CVSS 9.1
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
by Gonzalo Villegas
CVSS 9.1
EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection
by Dimitrios Mitakos
Printable Staff ID Card Creator System - Unrestricted File Upload
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
by bwnz
CVSS 9.8
Microsoft Internet Explorer - Use After Free
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
by SlidingWindow
CVSS 8.8
Subrion CMS 4.2.1 - RCE
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
by Fellipe Oliveira
CVSS 7.2
Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
by Vani K G
Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
by Reza Afsahi
Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
by Reza Afsahi
Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
by Vani K G
Billing Management System 2.0 - Union based SQL injection (Authenticated)
by Mohammad Koochaki
Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)
by Abdulkadir AYDOGAN
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
by Mücahit Saratar
CVSS 8.8
Student Management System v1.0 - XSS
A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box.
by mohsen khashei
CVSS 5.4
Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)
by Ayşenur KARAASLAN
Chamilo < 1.11.14 - Remote Code Execution
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
by M. Cory Billington
CVSS 7.2
Microsoft Internet Explorer - Use After Free
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
by Forrest Orr
CVSS 7.5
Mozilla Firefox < 68.4.1 - Type Confusion
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.
by Forrest Orr
CVSS 8.8
Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)
by Mesut Cetin
Dental Clinic Appointment Reservation System 1.0 - 'date' UNION based SQL Injection (Authenticated)
by Mesut Cetin
Zeroshell - OS Command Injection
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
by Fellipe Oliveira
CVSS 9.8
By Source