Exploitdb Exploits
50,186 exploits tracked across all sources.
Zohocorp Manageengine Servicedesk Plus - XSS
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
by Felipe Molina
CVSS 6.1
Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)
by gurbanli
E-Commerce System 1.0 - Unauthenticated Remote Code Execution
by SunCSR
Complaint Management System 1.0 - 'username' SQL Injection
by Daniel Ortiz
Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution
by Seecko Das
Remote Desktop Audit 2.3.0.157 - RCE
Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) bypass and execute shellcode when importing computer lists.
by gurbanli
CVSS 9.8
Tryton 5.4 - XSS
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.
by Vulnerability-Lab
CVSS 6.4
Sellacious eCommerce 4.6 - XSS
Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.
by Vulnerability-Lab
CVSS 6.4
LanSend 3.2 - RCE
LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) overwrite and execute shellcode when importing computers from a file.
by gurbanli
CVSS 9.8
Orchard Core RC1 - XSS
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.
by SunCSR
CVSS 6.4
Idangero Chop Slider - SQL Injection
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.
by SunCSR
CVSS 9.8
TylerTech Eagle <2018.3.11 - RCE
TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI.
by Anthony Cole
CVSS 8.8
Cisco Catalyst Center < 1.3.0.6 - XSS
A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4.
by Dylan Garnaud
CVSS 4.8
Victor CMS 1.0 - SQL Injection
Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based, error-based, and time-based injection techniques.
by BKpatron
CVSS 8.2
OpenZ ERP 3.6.60 - XSS
OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules.
by Vulnerability-Lab
CVSS 6.4
SolarWinds MSP PME <1.1.15 - Code Execution
An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by changing the CacheService.xml SISServerURL parameter.
by Jens Regel
CVSS 7.8
WordPress Plugin Simple File List 4.2.2 - Remote Code Execution
by coiffeur
Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting
by Vulnerability-Lab
Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection
by Tarun Sehgal
By Source