Exploitdb Exploits
50,076 exploits tracked across all sources.
Multilaser Router AC1200 V02.03.01.45_pt - CSRF
Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. An attacker can enable remote access, change passwords, and perform other actions through misconfigured requests, entries, and headers.
by Rodolfo Mariano
CVSS 8.8
AdTran Personal Phone Mgr <10.8.1 - Info Disclosure
AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched
by 3ndG4me
CVSS 7.5
Adtran Personal Phone Manager < 10.8.1 - Reflected Cross-Site Scripting
The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched
by 3ndG4me
CVSS 6.1
AdTran Personal Phone Manager <= 10.8.1 - Authenticated Stored Cross-Site Scripting
The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched
by 3ndG4me
CVSS 5.4
GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.
by boku
CVSS 6.5
GetSimple CMS My SMTP Contact Plugin <1.1.2 - Code Injection
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.
by boku
CVSS 7.2
glFTPd 2.11a - Denial of Service via Connection Limit Exhaustion
An issue was discovered in glFTPd 2.11a that allows remote attackers to cause a denial of service via exceeding the connection limit.
by xynmaps
CVSS 7.5
TileServer GL < 3.0.0 - Reflected Cross-Site Scripting via Key GET Parameter
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.
by Akash Chathoth
CVSS 6.1
htmly 2.8.0 - Stored Cross-Site Scripting via Blog Title Tagline or Description
htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php.
by nu11secur1ty
CVSS 5.4
Horde Groupware Webmail < 5.2.22 - Cross-Site Scripting via Text2html.php PreProcess
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
by nu11secur1ty
CVSS 6.1
Digital Crime Report Management System 1.0 - SQL Injection
Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints.
by GaluhID
CVSS 8.2
jQuery 1.12.0-3.4.1 - Cross-Site Scripting via DOM Manipulation Methods
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
by Central InfoSec
CVSS 6.9
jQuery <3.5.0 - XSS
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
by Central InfoSec
CVSS 6.9
MariaDB <10.2.37, 10.3.28, 10.4.18, 10.5.9 - RCE
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
by Central InfoSec
CVSS 7.2
CITSmart <9.1.2.28 - Info Disclosure
CITSmart before 9.1.2.28 mishandles the "filtro de autocomplete."
by skysbsb
CVSS 8.8
CITSmart < 9.1.2.23 - LDAP Injection
CITSmart before 9.1.2.23 allows LDAP Injection.
by skysbsb
CVSS 9.8
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - Remote Code Execution via sys_config_valid.xgi
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.
by Jay Sharma
CVSS 9.8
Blitar Tourism 1.0 - Auth Bypass
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access.
by sigeri94
CVSS 8.2
Simple Student Information System 1.0 - SQL Injection (Authentication Bypass)
by GaluhID
ExpressVPN Router < - Info Disclosure
An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.
by Jai Kumar Sharma
CVSS 7.5
vsftpd 2.3.4 - Backdoor Command Execution
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
by HerculesRD
CVSS 9.8
PrestaShop <1.7.6.8 - Blind SQL Injection
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
by Vanshal Gaur
CVSS 9.8
CMSimple 5.2 - Stored Cross-Site Scripting in Filebrowser External Input
CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.
by Quadron Research Lab
CVSS 6.1
Composr 10.0.36 - Unauthenticated Arbitrary File Upload
Composr 10.0.36 allows upload and execution of PHP files.
by Orion Hridoy
CVSS 9.8
DMA Softlab Radius Manager 4.4.0 - CSRF
DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php.
by Issac Briones
CVSS 8.8
By Source