Exploitdb Exploits
50,095 exploits tracked across all sources.
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)
by Manoj Ahuje
Open-Audit Community 2.2.6 - Stored Cross-Site Scripting via Group Name
Cross-site scripting (XSS) vulnerability in the Groups Page in Open-Audit Community 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the group name.
by Ranjeet Jaiswal
CVSS 6.1
Subrion < 4.2.2 - Cross-Site Scripting via .html File Upload
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
by Zeel Chavda
CVSS 6.1
onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)
by r3m0t3nu11
WaveMaker Studio 6.6 - Server-Side Request Forgery via studioService.download inUrl Parameter
com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.
by Gionathan Reale
CVSS 9.6
LAMS < 3.1 - Unauthenticated Reflected Cross-Site Scripting via Forgot Password Key Parameter
There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET parameter during a forgotPasswordChange.jsp?key= password change.
by Nikola Kojic
CVSS 6.1
Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above - Path Traversal via Log Viewer File Parameter
An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack.
by Chris
CVSS 7.5
FortiClient < 5.2.3 - Unauthorized Kernel Memory Read via mdare Driver ioctl
The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.
by sickness & mschenk
Fortinet FortiClient < 5.2.3 - Local Privilege Escalation via Fortishield.sys Ioctl Calls
The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call.
by sickness & mschenk
Vuze Bittorrent Client 5.7.6.0 - XML External Entity Injection via SSDP/UPnP XML Parser
In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
by Chris Moberly
CVSS 9.8
Plex Media Server 1.13.2.5154 - Unauthenticated XML External Entity Injection via SSDP/UPnP Parser
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
by Chris Moberly
CVSS 9.8
PHP Template Store Script 3.0.6 - XSS
PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile.
by Sarafraz Khan
CVSS 5.4
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
by Metasploit
CVSS 7.0
cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal
by Google Security Research
Imperva SecureSphere <13.0-11.5 - Privilege Escalation
Imperva SecureSphere running v13.0, v12.0, or v11.5 allows low privileged users to add SSH login keys to the admin user, resulting in privilege escalation.
by 0x09AL
CVSS 8.8
Imperva SecureSphere <12.0.0.50 - RCE
Imperva SecureSphere running v12.0.0.50 is vulnerable to local arbitrary code execution, escaping sealed-mode.
by 0x09AL
CVSS 7.8
Universal Media Server 7.1.0 - Unauthenticated XML External Entity Injection via SSDP/UPnP Parser
In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
by Chris Moberly
CVSS 9.8
Datalust Seq <4.2.605 - Auth Bypass
Datalust Seq before 4.2.605 is vulnerable to Authentication Bypass (with the attacker obtaining admin access) via '"Name":"isauthenticationenabled","Value":false' in an api/settings/setting-isauthenticationenabled PUT request.
by Daniel Chactoura
CVSS 9.8
AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)
by Luis Martínez
Oracle Solaris <11 - Privilege Escalation
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Availability Suite Service). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
by mu-b
CVSS 7.8
wityCMS 0.6.2 - Cross-Site Request Forgery in Admin User Edit
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account, as demonstrated by modifying the account's email field.
by Porhai Eung
CVSS 8.8
TI Online Examination System v2 - Arbitrary File Download
by AkkuS
PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection
by AkkuS
By Source