Writeup Exploits
63,697 exploits tracked across all sources.
online-shopping-system-advanced - Unauthenticated SQL Injection via cat_id Parameter
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
CVSS 9.8
online-shopping-system-advanced - Unauthenticated SQL Injection via action.php prId Parameter
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
CVSS 7.5
Online Food Ordering Web App 1.0 - Unauthenticated SQL Injection via Login Username Parameter
An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive database information, as well as add an administrative user.
CVSS 9.1
Lodging Reservation Management System 1.0 - SQL Injection via Login Username/Password Fields
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
CVSS 9.8
Simple Water Refilling Station Management System 1.0 - SQL Injection
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
CVSS 9.8
PHPGurukul AVMS <1.0 - SQL Injection
SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.
CVSS 9.8
Online Catering Reservation System 1.0 - Path Traversal
Directory traversal vulnerability in Online Catering Reservation System 1.0 exists due to lack of validation in index.php.
CVSS 7.5
Online Catering Reservation System 1.0 - Path Traversal
Directory traversal vulnerability in Online Catering Reservation System 1.0 exists due to lack of validation in index.php.
CVSS 7.5
Online Catering Reservation System 1.0 - Path Traversal
Directory traversal vulnerability in Online Catering Reservation System 1.0 exists due to lack of validation in index.php.
CVSS 7.5
Phone Shop Sales Management System 1.0 - SQL Injection
Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
CVSS 9.8
Teachers Record Management System 1.0 - Unauthenticated SQL Injection via searchteacher Parameter
Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak sensitive information and perform code execution attacks.
CVSS 9.8
iTop 3.0.1 - Cross-Site Scripting via export-v2.php
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.
CVSS 6.1
iTop 3.0.1 - Cross-Site Scripting via ajax.render.php
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php.
CVSS 6.1
Inout Blockchain <1.2.1, <2.2.1 - SQL Injection
Inout Blockchain AltExchanger 1.2.1 and Inout Blockchain FiatExchanger 2.2.1 allow Chart/TradingView/chart_content/master.php symbol SQL injection.
CVSS 7.5
Nortek Linear eMerge E3-Series <0.32-08f - Command Injection
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.
CVSS 9.8
Nortek Linear eMerge E3-Series < 0.32-07p - Cross-Site Scripting and Session Fixation via CardFormatNo Parameter
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.
CVSS 6.1
Bottle < 0.12.20 - Denial of Service via Early Request Binding Error Handling
Bottle before 0.12.20 mishandles errors during early request binding.
CVSS 9.8
Codoforum 5.1 - Authenticated Arbitrary File Upload via Admin Logo Change
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
CVSS 7.2
osTicket audit_log < 2022-04-21 - Stored Cross-Site Scripting in auditlogs.tmpl.php
Cross Site Scripting (XSS) vulnerability in audit/templates/auditlogs.tmpl.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae.
CVSS 6.1
osTicket-plugins audit_log < 2022-04-21 - SQL Injection via order Parameter in getOrder Function
SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function.
CVSS 9.8
Online Fire Reporting System 1.0 - SQL Injection via Request ID Parameter
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/manage_request&id=.
CVSS 7.2
Linux Kernel - Out-of-bounds Read via Sound Subsystem ioctl Interface
An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their privileges on the system.
CVSS 7.8
Complete Online Job Search System 1.0 - SQL Injection via Admin Category Edit ID Parameter
Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/category/index.php?view=edit&id=.
CVSS 7.2
Car Rental Management System 1.0 - SQL Injection via Admin Login Endpoint
Car Rental Management System v1.0 is vulnerable to SQL Injection via /ip/car-rental-management-system/admin/ajax.php?action=login.
CVSS 7.2
osTicket-plugins - Storage-FS < 2022-05-19 - Stored Cross-Site Scripting via SVG File Upload
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
CVSS 5.4
By Source