Exploitdb Exploits
49,996 exploits tracked across all sources.
OEcms v3.1 - XSS
A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
by Renzi
CVSS 5.4
Dimofinf CMS <3.0.0 - XSS
Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS Version 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
by Renzi
CVSS 5.4
Harmis Ek Rishta <2.10 - SQL Injection
router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI.
by Guilherme Assmann
CVSS 8.8
RSLinx Classic <3.90.01 - Privilege Escalation
An unquoted search path or element in RSLinx Classic Versions 3.90.01 and prior and FactoryTalk Linx Gateway Versions 3.90.00 and prior may allow an authorized, but non-privileged local user to execute arbitrary code and allow a threat actor to escalate user privileges on the affected workstation.
by LiquidWorm
CVSS 7.8
Microsoft Windows 10 - Incorrect Permission Assignment
An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions, aka "Windows Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
by Google Security Research
CVSS 7.0
Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload
by h0n1gsp3cht
Maccms 10 - CSRF
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
by bay0net
CVSS 8.8
DHCP Client Command Injection (DynoRoot)
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
by Metasploit
CVSS 7.5
GNU Glibc < 2.26 - Out-of-Bounds Write
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
by Metasploit
CVSS 7.8
Open-Xchange OX App Suite <7.6.3-rev3-7.8.4-rev4 - Path Traversal
Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet.
by Open-Xchange
CVSS 5.5
Open-Xchange OX App Suite <7.8.3-rev12 & <7.8.4-rev9 - XSS
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.
by Open-Xchange
CVSS 5.4
Open-Xchange OX App Suite <7.6.3-7.8.4 - Info Disclosure
The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.
by Open-Xchange
CVSS 6.5
Open-Xchange OX App Suite <7.6.3-7.8.4 - SSRF
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses.
by Open-Xchange
CVSS 8.8
Open-Xchange OX App Suite <7.6.3-7.8.4 - Info Disclosure
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.
by Open-Xchange
CVSS 6.5
Open-xchange Appsuite < 7.6.3 - XSS
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
by Open-Xchange
CVSS 6.5
Open-xchange Appsuite < 7.6.3 - Improper Privilege Management
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks.
by Open-Xchange
CVSS 4.3
WordPress Plugin Ultimate Form Builder Lite < 1.3.7 - SQL Injection
by defensecode
Canon PrintMe EFI - XSS
Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webinterface allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /wt3/mydocs.php URI.
by Huy Kha
CVSS 6.1
Genetechsolutions Pie Register < 3.0.10 - SQL Injection
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
by Manuel García Cárdenas
CVSS 9.8
userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting
by Dolev Farhi
PHP Scripts Mall Schools Alert Mgmt - SQL Injection
Multiple SQL Injections exist in PHP Scripts Mall Schools Alert Management Script via crafted POST data in contact_us.php, faq.php, about.php, photo_gallery.php, privacy.php, and so on.
by M3@Pandas
CVSS 9.8
By Source