Exploitdb Exploits
49,989 exploits tracked across all sources.
DomainMOD 4.11.01 - XSS
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
by Mohammed Abdul Raheem
CVSS 4.8
DomainMOD 4.11.01 - XSS
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
by Mohammed Abdul Raheem
CVSS 4.8
DomainMOD <4.11.01 - XSS
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
by Mohammed Abdul Kareem
CVSS 4.8
DomainMOD <4.11.01 - XSS
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
by Mohammed Abdul Kareem
CVSS 4.8
ApowerManager <3.1.7 - DoS
The ApowerManager application through 3.1.7 for Android allows remote attackers to cause a denial of service via many simultaneous /?Key=PhoneRequestAuthorization requests.
by s4vitar
CVSS 7.5
PilusCart 1.4.1 SQL Injection via send Parameter
PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Attackers can submit POST requests to the comment submission endpoint with RLIKE-based boolean SQL injection payloads to extract sensitive database information.
by Mehmet EMIROGLU
CVSS 8.2
NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)
by Alejandra Sánchez
NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)
by Alejandra Sánchez
Rukovoditel <2.4.1 - XSS
Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.
by Mehmet EMIROGLU
CVSS 6.1
Apple Mac OS X < 10.13.5 - Memory Corruption
An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Server" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
by Synacktiv
CVSS 7.8
Canonical snapd <2.37.1 - Command Injection
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
by Chris Moberly
CVSS 9.8
Canonical snapd <2.37.1 - Command Injection
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
by Chris Moberly
CVSS 9.8
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by embargo
CVSS 8.6
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.
by Ozer Goker
CVSS 5.4
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.
by Ozer Goker
CVSS 6.1
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.
by Ozer Goker
CVSS 6.1
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to execute arbitrary code in users' browsers.
by Ozer Goker
CVSS 6.1
OPNsense 19.1 - XSS
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute arbitrary JavaScript in the browsers of other users accessing firewall rule pages.
by Ozer Goker
CVSS 6.4
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session.
by Ozer Goker
CVSS 6.1
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers.
by Ozer Goker
CVSS 6.1
OPNsense 19.1 - XSS
OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of authenticated user sessions when the page is viewed.
by Ozer Goker
CVSS 6.4
OPNsense 19.1 - XSS
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.
by Ozer Goker
CVSS 5.4
OPNsense 19.1 - XSS
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers.
by Ozer Goker
CVSS 6.1
By Source