Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-10846 EXPLOITDB MEDIUM text
Computrols CBAS < 19.0.0 - Unauthenticated Reflected Cross-Site Scripting via Username Parameter
Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter.
by LiquidWorm
CVSS 6.1
CVE-2019-10848 EXPLOITDB MEDIUM text
Computrols CBAS < 19.0.0 - Username Enumeration
Computrols CBAS 18.0.0 allows Username Enumeration.
by LiquidWorm
CVSS 5.3
EIP-2026-101581 EXPLOITDB python
CBAS-Web 19.0.0 - Remote Code Execution
by LiquidWorm
CVE-2019-10847 EXPLOITDB HIGH text
Computrols CBAS < 19.0.0 - Cross-Site Request Forgery
Computrols CBAS 18.0.0 allows Cross-Site Request Forgery.
by LiquidWorm
CVSS 8.8
EIP-2026-101263 EXPLOITDB ruby VERIFIED
eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
by LiquidWorm
CVE-2019-7265 EXPLOITDB CRITICAL python
Linear eMerge E3-Series Firmware < 1.00-06 - Remote Code Execution via Hard-coded SSH Credentials
Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).
by LiquidWorm
CVSS 9.8
CVE-2019-10849 EXPLOITDB HIGH text
Computrols CBAS < 19.0.0 - Unauthenticated Source Code Disclosure via SVN Directory
Computrols CBAS 18.0.0 allows unprotected Subversion (SVN) directory / source code disclosure.
by LiquidWorm
CVSS 7.5
CVE-2018-12234 EXPLOITDB MEDIUM text
Adrenalin 5.4.0 - Reflected Cross-Site Scripting via GeneralInfo.aspx strAction Parameter
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4.0 HRMS Software. The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the flexiportal/GeneralInfo.aspx strAction parameter.
by Cy83rl0gger
CVSS 6.1
CVE-2018-12653 EXPLOITDB MEDIUM text
Adrenalin HRMS 5.4.0 - Reflected Cross-Site Scripting via ReportId Parameter
A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenalin HRMS 5.4.0. An attacker can input malicious JavaScript code in /RPT/SSRSDynamicEditReports.aspx via 'ReportId' parameter.
by Cy83rl0gger
CVSS 6.1
CVE-2018-12650 EXPLOITDB MEDIUM text
Adrenalin HRMS <5.4.0 - XSS
Adrenalin HRMS version 5.4.0 contains a Reflected Cross Site Scripting (XSS) vulnerability in the ApplicationtEmployeeSearch page via 'prntDDLCntrlName' and 'prntFrmName'.
by Cy83rl0gger
CVSS 6.1
CVE-2019-7671 EXPLOITDB CRITICAL text
Prima Systems FlexAir <2.3.38 - RCE
Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.
by LiquidWorm
CVSS 9.0
CVE-2019-25292 EXPLOITDB HIGH text
Alps HID Monitor Service 8.1.0.10 - Code Injection
Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\Apoint2K\HidMonitorSvc.exe to inject malicious executables and gain system-level access.
by Héctor Gabriel Chimecatl Hernández
CVSS 7.8
CVE-2019-25286 EXPLOITDB HIGH text
GCaf 3.0 - Unquoted Service Path in gbClientService
GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions.
by 4ll4u
CVSS 7.8
EIP-2026-119666 EXPLOITDB text
XML Notepad 2.8.0.4 - XML External Entity Injection
by daejinoh
CVE-2019-8196 EXPLOITDB CRITICAL text VERIFIED
Adobe Acrobat and Reader DC < 15.006.30504, 15.008.20082-19.021.20047 - Untrusted Pointer Dereference
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
by Google Security Research
CVSS 9.8
CVE-2019-8195 EXPLOITDB CRITICAL text VERIFIED
Adobe Acrobat and Reader DC < 15.006.30504, 15.008.20082-19.021.20047 - Untrusted Pointer Dereference
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
by Google Security Research
CVSS 9.8
CVE-2019-8662 EXPLOITDB CRITICAL text VERIFIED
iPhone OS < 12.4 - Use-After-Free via Untrusted NSDictionary Deserialization
This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary.
by Google Security Research
CVSS 9.8
EIP-2026-102169 EXPLOITDB c
iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
by Sem Voigtlander
EIP-2026-117926 EXPLOITDB text
SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
by Carlos A Garcia R
EIP-2026-109931 EXPLOITDB text
Nextcloud 17 - Cross-Site Request Forgery
by Ozer Goker
CVE-2019-14347 EXPLOITDB HIGH python
Schben Adive < 2.0.7 - Privilege Escalation via User Addition
Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script.
by Pablo Santiago
CVSS 8.8
CVE-2019-16662 EXPLOITDB CRITICAL ruby VERIFIED
rconfig 3.9.2 - OS Command Injection via ajaxServerSettingsChk.php rootUname Parameter
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
by Metasploit
CVSS 9.8
CVE-2019-10475 EXPLOITDB MEDIUM python
Jenkins build-metrics < 1.3 - Reflected Cross-Site Scripting
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
by vesche
CVSS 6.1
CVE-2017-13156 EXPLOITDB HIGH ruby VERIFIED
Android Janus APK Signature bypass
An elevation of privilege vulnerability in the Android system (art). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64211847.
by Metasploit
CVSS 7.8
CVE-2019-25287 EXPLOITDB HIGH text
Adaware Web Companion 4.8.2078.3950 - Code Injection
Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code that would execute with LocalSystem privileges during service startup.
by Mariela L Martínez Hdez
CVSS 7.8