Exploitdb Exploits
50,095 exploits tracked across all sources.
Microsoft Edge - Remote Code Execution via Scripting Engine Memory Corruption
Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0758, CVE-2018-0762, CVE-2018-0768, CVE-2018-0769, CVE-2018-0770, CVE-2018-0772, CVE-2018-0773, CVE-2018-0774, CVE-2018-0776, CVE-2018-0777, CVE-2018-0778, and CVE-2018-0781.
by Google Security Research
CVSS 7.5
ChakraCore and Microsoft Edge - Privilege Escalation
ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.
by Google Security Research
CVSS 7.5
Microsoft Edge - Information Disclosure via Scripting Engine Memory Handling
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0767 and CVE-2018-0800.
by Google Security Research
CVSS 5.3
SugarCRM 3.5.1 - Cross-Site Scripting via Query String Parameter Name
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
by Guilherme Assmann
CVSS 6.1
Reservo Image Hosting 1.6 - Cross-Site Scripting via Search Parameter
Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected function is its search engine (the t parameter to the /search URI). Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed.
by Dennis Veninga
CVSS 6.1
MASTER IPCAMERA01 <3.3.4.2103 - Info Disclosure
MASTER IPCAMERA01 3.3.4.2103 devices allow remote attackers to obtain sensitive information via a crafted HTTP request, as demonstrated by the username, password, and configuration settings.
by Raffaele Sabato
CVSS 9.8
glibc < 2.26 - Buffer Underflow and Potential Code Execution via realpath()
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
by halfdog
CVSS 7.8
D-Link DNS-343 ShareCenter <1.05 - Command Injection
D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE: The DNS-343 product line has been declared end-of-life.
by GulfTech Security
CVSS 9.8
Flexense SysGauge <3.6.18 - Buffer Overflow
The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer Overflow.
by Ahmad Mahfouz
CVSS 8.1
Flexense Disk Pulse Enterprise 10.1.18 - Denial of Service via Crafted SERVER_GET_INFO Packet
In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.
by Ahmad Mahfouz
CVSS 7.5
RISE Ultimate Project Manager 1.9 - SQL Injection via Search Parameter
SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/.
by Ahmad Mahfouz
CVSS 9.8
pfSense < 2.1.4 - Authenticated Remote Code Execution
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.
by absolomb
Perfex CRM 1.9.7 - Unrestricted File Upload and Remote Code Execution
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.
by Ahmad Mahfouz
CVSS 9.8
FoxSash ImgHosting 1.5 - Cross-Site Scripting via Search Parameter
FoxSash ImgHosting 1.5 (according to footer information) is vulnerable to XSS attacks. The affected function is its search engine via the search parameter to the default URI. Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed.
by Dennis Veninga
CVSS 6.1
ILIAS < 5.2.4 - Cross-Site Scripting via Setup Component cmd Parameter
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
by Florian Kunushevci
CVSS 6.1
GitStack <2.3.10 - Privilege Escalation
An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI.
by SecuriTeam
CVSS 9.8
Flash Operator Panel 2.31.03 - Command Execution
by Vulnerability-Lab
D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities
by GulfTech Security
By Source