Exploitdb Exploits
50,076 exploits tracked across all sources.
Jenkins Pipeline: Groovy Plugin <2.63 - RCE
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
by Daniel Morris
CVSS 9.9
HiSilicon IPTV/H.264/H.265 Video Encoders - Unauthenticated Denial of Service via RTSP Request Buffer Overflow
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to cause a buffer overflow and application crash. The device will not be able to perform its main purpose of video encoding and streaming for up to a minute, until it automatically reboots. Attackers can send malicious requests once a minute, effectively disabling the device.
by Alexei Kojenov
CVSS 9.8
URayTech IPTV/H.264/H.265 <1.97 - Path Traversal
An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.
by Alexei Kojenov
CVSS 7.5
HiSilicon Video Encoder Firmware - Unauthenticated Arbitrary Code Execution via Firmware Upload
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
by Alexei Kojenov
CVSS 9.8
HiSilicon Video Encoder Firmware - Unauthenticated Arbitrary Code Execution via Firmware Upload
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
by Alexei Kojenov
CVSS 9.8
HiSilicon IPTV/H.264/H.265 Video Encoder Firmware - Use of Hard-coded Credentials
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.
by Alexei Kojenov
CVSS 9.8
SourceCodester Employee Management System 1.0 - XSS
A Cross Site Scripting in SourceCodester Employee Management System 1.0 allows the user to execute alert messages via /Employee Management System/addemp.php on admin account.
by Ankita Pal
CVSS 5.4
SourceCodester Alumni Management System 1.0 - SQL Injection
SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypass the authentication via admin/login.php.
by Ankita Pal
CVSS 9.8
aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)
by Ünsal Furkan Harani
Seat Reservation System 1.0 - SQL Injection via admin_class.php Login Parameters
An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc.
by Rahul Ramkumar
CVSS 9.1
Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)
by Rahul Ramkumar
Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)
by b1nary
Hotel Management System 1.0 - Remote Code Execution (Authenticated)
by Aporlorxl23
Company Visitor Management System (CVMS) 1.0 - Authentication Bypass
by Oğuz Türkgenç
Simple Grocery Store Sales and Inventory System - Authentication Bypass and SQL Injection via Login
An issue was discovered in SourceCodester Simple Grocery Store Sales And Inventory System 1.0. There was authentication bypass in web login functionality allows an attacker to gain client privileges via SQL injection in sales_inventory/login.php.
by Saurav Shukla
CVSS 9.8
Vehicle Parking Management System 1.0 - Authentication Bypass
by BKpatron
rConfig 3.9.5 - Remote Code Execution (Unauthenticated)
by Daniel Monzón
berliCRM 1.0.24 - SQL Injection via src_record Parameter
berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information.
by Ahmet Ümit BAYRAM
CVSS 8.2
Battle.Net 1.27.1.12428 - Insecure File Permissions
by George Tsimpidas
By Source