Exploitdb Exploits
50,076 exploits tracked across all sources.
ILIAS Learning Management System <4.3 - SSRF
ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF.
by Dot
CVSS 4.0
asc Timetables 2021.6.2 - Denial of Service via Subject Title Field Overflow
aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash.
by Ismael Nava
CVSS 7.5
PHPGurukul Employee Record Management System 1.1 - SQL Injection
SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
by Anurag Kumar
CVSS 9.8
EGavilan Media Expense Management System 1.0 - Stored Cross-Site Scripting via Description Field
XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the 'description' field
by Nikhil Kumar
CVSS 6.1
Bakeshop Online Ordering System 1.0 - Stored Cross-Site Scripting in Admin Dashboard Categories
Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - "Categories".
by Parshwa Bhavsar
CVSS 4.8
dotcms 20.11 - Stored Cross-Site Scripting in Admin Panel Template Addition
DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.
by Hardik Solanki
CVSS 4.8
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Cross-Site Request Forgery in User Profile Panel
EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account.
by Hardik Solanki
CVSS 8.0
Student Result Management System - SQL Injection
Student Result Management System In PHP With Source Code is affected by SQL injection. An attacker can able to access of Admin Panel and manage every account of Result.
by Ritesh Gohil
CVSS 9.1
User Registration & Login System with Admin Panel 1.0 - Cross-Site Scripting via Full Name Parameter
Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0.
by Soushikta Chowdhury
CVSS 6.1
EGavilan Media Under Construction page with cPanel 1.0 - SQL Injection
EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
by Mayur Parmar
CVSS 9.8
Online Birth Certificate System Project V 1.0 - XSS
Online Birth Certificate System Project V 1.0 is affected by cross-site scripting (XSS). This vulnerability can result in an attacker injecting the XSS payload in the User Registration section. When an admin visits the View Detail of Application section from the admin panel, the attacker can able to steal the cookie according to the crafted payload.
by Sagar Banwa
CVSS 6.1
PRTG Network Monitor 20.1.56.1574 - Authenticated Stored Cross-Site Scripting via Map Designer Properties
XSS exists in PRTG Network Monitor 20.1.56.1574 via crafted map properties. An attacker with Read/Write privileges can create a map, and then use the Map Designer Properties screen to insert JavaScript code. This can be exploited against any user with View Maps or Edit Maps access.
by Amin Rawah
CVSS 5.4
IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
by Manuel Alvarez
WordPress File Manager Unauthenticated Remote Code Execution
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
by Mansoor R
CVSS 10.0
WonderCMS 3.1.3 - Code Execution via Theme Installer SSRF
A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.
by zetc0de
CVSS 9.8
WonderCMS 3.1.3 - Authenticated Remote Code Execution via Theme/Plugin Installer
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.
by zetc0de
CVSS 9.8
WonderCMS 3.1.3 - Stored Cross-Site Scripting in Menu Component
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie according to the crafted payload.
by Hemant Patidar
CVSS 5.4
Pharmacy Store Management System 1.0 - 'id' SQL Injection
by Aydın Baran Ertemir
Car Rental Management System 1.0 - SQL Injection / Local File include
by Mosaaed
Anuko Time Tracker <1.19.23.5311 - Info Disclosure
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
by Mufaddal Masalawala
CVSS 9.8
Anuko Time Tracker <1.19.23.5311 - DoS
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
by Mufaddal Masalawala
CVSS 7.5
Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
by Parshwa Bhavsar
Local Service Search Engine Management System 1.0 - Auth Bypass
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
by Aditya Wakhlu
CVSS 9.8
By Source