Exploitdb Exploits
50,095 exploits tracked across all sources.
QNAP Q'center < 1.7.1063 - Authenticated OS Command Injection via Change Password
Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
by Metasploit
CVSS 7.2
Microsoft Enterprise Mode Site List Manager - XML External Entity Injection
by hyp3rlinx
WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting
by Berk Dusunur
PrestaShop <1.6.1.20 & <1.7.3.4 - Info Disclosure
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
by Charles Fol
CVSS 9.1
PrestaShop <1.6.1.20 & <1.7.3.4 - Info Disclosure
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
by Charles Fol
CVSS 9.1
macOS/iOS - JavaScript Injection Bug in OfficeImporter
by Google Security Research
Linux Kernel < 3.16 - Privilege Escalation via SGID Directory Inode Initialization
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
by Google Security Research
CVSS 7.8
HP Fortify Software Security Center 17.1, 17.2, 18.1 - Unauthenticated XML External Entity Injection via Crafted DTD
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
by alt3kx
CVSS 9.8
VelotiSmart WiFi B-380 - Path Traversal
The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80.
by Miguel Mendez Z
CVSS 9.8
Zeta Producer < 14.2.1 - Unauthenticated Path Traversal and File Disclosure via Filebrowser Plugin
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
by SEC Consult
CVSS 5.5
WAGO e!DISPLAY 762-3000/3001/3002/3003 < FW 02 - Authenticated Arbitrary File Upload
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.
by SEC Consult
CVSS 8.8
WAGO e!DISPLAY 762-3000/762-3001/762-3002/762-3003 < FW 02 - Authenticated Arbitrary File Write via WBM File Upload
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.
by SEC Consult
CVSS 6.5
QNAP Q'center < 1.7.1063 - Authenticated OS Command Injection via Date Parameter
Command injection vulnerability in date of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
by Core Security
CVSS 8.8
QNAP Q'center < 1.7.1063 - Authenticated OS Command Injection
Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
by Core Security
CVSS 8.8
QNAP Q'center < 1.7.1063 - Authenticated OS Command Injection via Change Password
Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
by Core Security
CVSS 7.2
QNAP Q'center Virtual Appliance <1.7.1063 - Info Disclosure
Exposure of Private Information in QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to access sensitive information.
by Core Security
CVSS 8.8
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
by Metasploit
CVSS 9.8
Intel 64 and IA-32 Architectures - Privilege Escalation
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
by Metasploit
CVSS 7.8
G DATA Total Security <25.4.0.3 - Buffer Overflow
The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Total Security 25.4.0.3 has a buffer overflow via a long IsBlackListed argument.
by Filipe Xavier Oliveira
CVSS 8.8
Zeta Producer Desktop CMS < 14.2.1 - Unauthenticated Remote Code Execution via PHP File Upload
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated remote code execution due to a default component that permits arbitrary upload of PHP files, because the formmailer widget blocks .php files but not .php5 or .phtml files. This is related to /assets/php/formmailer/SendEmail.php and /assets/php/formmailer/functions.php.
by SEC Consult
CVSS 9.8
WAGO e!DISPLAY 762-3000-762-3003 < FW 02 - Cross-Site Scripting via Web Server Request
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injecting code within the WBM. The code will be rendered and/or executed in the browser of the user's browser.
by SEC Consult
CVSS 5.4
phpMyAdmin 4.8.x <4.8.2 - Code Injection
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
by Metasploit
CVSS 8.8
Hadoop YARN ResourceManager - Command Execution (Metasploit)
by Metasploit
Hadoop YARN ResourceManager - Command Execution (Metasploit)
by Metasploit
Apache CouchDB < 1.7.0 and 2.x < 2.1.1 - Authenticated OS Command Injection via Configuration Options
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
by Metasploit
CVSS 7.2
By Source