Exploitdb Exploits
50,076 exploits tracked across all sources.
webERP 4.15.1 - Unauthenticated Database Backup File Access
webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file.
by Besim
CVSS 9.8
Fishing Reservation System 7.5 - SQL Injection
Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction.
by Vulnerability-Lab
CVSS 7.1
BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
by Daniel Martinez Adan
Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path
by Nguyen Khang
Online Scheduling System 1.0 - 'username' SQL Injection
by Saurav Shukla
SaltStack Salt < 2019.2.4 - Authenticated Path Traversal via ClearFuncs Methods
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
by Jasper Lievisse Adriaanse
CVSS 6.5
NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
by Cold z3ro
PHP AddressBook 9.0.0.1 - SQL Injection
PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint.
by David Velazquez
CVSS 8.2
Outline Service 1.3.3 - Privilege Escalation
Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with LocalSystem permissions during service startup.
by Minh Tuan
CVSS 7.8
osTicket < 1.14.2 - Stored Cross-Site Scripting via SLA Name
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
by Mehmet Kelepçe
CVSS 5.4
VirtualTablet Server 3.0.2 - Denial of Service via Oversized Thrift Payload
VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become unresponsive.
by Dolev Farhi
CVSS 7.5
php-fusion 9.03.50 - Cross-Site Scripting via FAQ or Shoutbox Admin Panel go Parameter
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
by SunCSR
CVSS 5.4
Online Scheduling System 1.0 - Persistent Cross-Site Scripting
by boku
Apache Shiro < 1.2.5 - Remote Code Execution via Remember Me Feature
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
by Metasploit
CVSS 9.8
Apache OFBiz 17.12.01 - Cross-Site Request Forgery
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
by Faiz Ahmed Zaidi
CVSS 8.8
Super Backup 2.0.5 for iOS - Directory Traversal
by Vulnerability-Lab
By Source