Exploitdb Exploits
50,186 exploits tracked across all sources.
Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
by Mehmet Kelepçe
Global RADAR BSA Radar <1.6.7234.24750 - Privilege Escalation
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data.
by William Summerhill
CVSS 8.8
Exhibitor Web UI <1.7.1 - Command Injection
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.
by Logan Sanderson
CVSS 9.8
Fire Web Server 0.1 - Remote Denial of Service (PoC)
by Saeed reza Zamanian
RiteCMS 2.2.1 - Command Injection
An issue was discovered in RiteCMS 2.2.1. An authenticated user can directly execute system commands by uploading a php web shell in the "Filemanager" section.
by Enes Özeser
CVSS 8.8
Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
by Basim Alabdullah
File Management System 1.1 - Persistent Cross-Site Scripting
by KeopssGroup0day_Inc
Dell Rsa Identity Governance And Lifecycle - Code Injection
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.
by Jakub Palaczynski
CVSS 6.4
BIG-IP <15.2 - RCE
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
by Critical Start
CVSS 9.8
Grafana 3.0.1-7.0.1 - SSRF
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
by mostwanted002
CVSS 8.2
BIG-IP <15.2 - RCE
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
by Budi Khoirudin
CVSS 9.8
OCS Inventory NG <2.7 - RCE
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
by Askar
CVSS 8.8
RM Downloader 2.50.60 - Buffer Overflow
RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload with an egg hunter technique to bypass memory protections and execute commands like launching calc.exe.
by Paras Bhatia
CVSS 8.4
e-Learning PHP Script 0.1.0 - SQL Injection
e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information.
by KeopssGroup0day_Inc
CVSS 8.2
Victor Cms < 2019-02-28 - XSS
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
by Anushree Priyadarshini
CVSS 6.1
Reside Property Management 3.0 - 'profile' SQL Injection
by Behzad Khalifeh
Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
by Ethan Seow
KiteService 1.2020.618.0 - Unquoted Service Path
by Marcos Antonio León
Myscada Mypro - Hard-coded Credentials
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
by Emre ÖVÜNÇ
CVSS 9.1
By Source