Exploitdb Exploits
49,996 exploits tracked across all sources.
Plays.tv < 1.27.7.0 - Authentication Bypass
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user.
by Securifera
CVSS 9.8
Microsoft Windows 10 - Authentication Bypass
The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
by Preempt
CVSS 7.0
Drupal Drupalgeddon 2 Forms API Property Injection
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
by Vitalii Rudnykh
CVSS 9.8
Drupal Drupalgeddon 2 Forms API Property Injection
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
by Hans Topo & g0tmi1k
CVSS 9.8
MikroTik Version 6.41.4 - DoS
A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many '\0' characters, preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.
by FarazPajohan
CVSS 7.5
Joomla! <2.0.4 - RCE
The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file.
by Sairam Jetty
CVSS 7.8
Iscripts Easycreate - XSS
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.
by ManhNho
CVSS 5.4
Dvd-x-player Dvd X Player - Memory Corruption
DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf file, a related issue to CVE-2007-3068.
by Prasenjit Kanti Paul
CVSS 7.8
Wuzhicms - CSRF
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
by taoge
CVSS 8.8
Iptanus Wordpress File Upload < 4.3.4 - XSS
The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
by ManhNho
CVSS 6.1
Iptanus Wordpress File Upload < 4.3.3 - XSS
The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.
by ManhNho
CVSS 5.4
WordPress Activity Log <2.4.1 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
by Stefan Broeder
CVSS 6.1
Iscripts Easycreate - XSS
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field.
by ManhNho
CVSS 5.4
Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Confusion
by Google Security Research
Dell Emc Avamar - Missing Authorization
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
by SlidingWindow
CVSS 9.8
MyBB Recent threads 17.0 Persistent Cross-Site Scripting
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page.
by Perileos
CVSS 7.2
BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution
BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server.
by Lenon Leite
CVSS 8.8
PMS 0.42 Stack-Based Buffer Overflow via Configuration File
PMS 0.42 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious values in the configuration file. Attackers can craft configuration files with oversized input that overflows the stack buffer and execute shell commands via return-oriented programming gadgets.
by Juan Sacco
CVSS 8.4
KYOCERA Net Admin 3.4.0906 - CSRF
KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page.
by LiquidWorm
CVSS 8.8
KYOCERA Net Admin 3.4.0906 - XXE Injection
KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.
by LiquidWorm
CVSS 7.5
H2 1.4.197 - RCE
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment."
by gambler
CVSS 8.8
Yahei Php Prober - XSS
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.
by ManhNho
CVSS 6.1
WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution
by Graeme Robinson
By Source