Exploit Database
144,210 exploits tracked across all sources.
WBCE CMS < 1.6.3 - Authenticated Remote Code Execution via Malicious Module Upload
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
CVSS 8.8
WBCE CMS 1.6.2 - Authenticated Remote Code Execution via Elfinder File Upload
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.
CVSS 8.8
WBCE CMS 1.6.0 - Unauthenticated SQL Injection via DB_RECORD_TABLE Parameter
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
CVSS 9.8
WBCE CMS 1.5.3 - Command Injection via admin/languages/install.php
WBCE CMS 1.5.3 has a command execution vulnerability via admin/languages/install.php.
CVSS 7.2
WBCE CMS 1.5.2 - Authenticated Remote Code Execution via Droplet Upload
WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.
CVSS 8.8
WBCE CMS < 1.5.4 - Cross-Site Scripting via Overview Page Post Loop Field
A cross-site scripting (XSS) vulnerability in the Overview Page settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Loop field.
CVSS 4.8
WBCE CMS < 1.5.4 - Stored Cross-Site Scripting via Modify Page Source Field
A cross-site scripting (XSS) vulnerability in the Modify Page module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Source field.
CVSS 4.8
WBCE CMS - Improper Restriction of Excessive Authentication Attempts
A vulnerability, which was classified as problematic, has been found in WBCE CMS. Affected by this issue is the function increase_attempts of the file wbce/framework/class.login.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The name of the patch is d394ba39a7bfeb31eda797b6195fd90ef74b2e75. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213716.
CVSS 3.7
Pi-Star DV <5aa194d - Buffer Overflow
Pi-Star_DV_Dash (for Pi-Star DV) before 5aa194d mishandles the module parameter.
CVSS 9.8
SuiteCRM 7.12.7 - Authenticated Remote Code Execution via Deserialization
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.
CVSS 8.8
SuiteCRM 7.12.7 - Privilege Escalation
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
CVSS 8.1
Book Store Management System 1.0.0 - Stored Cross-Site Scripting via Level Parameter in Add New System User Module
A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Level parameter under the Add New System User module.
CVSS 5.4
Vsourz Advanced Contact Form 7 DB 1.7.2 and 1.9.1 - Cross-Site Scripting
Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS).
CVSS 6.1
EQ < 2.2.0 - SQL Injection
EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.
CVSS 9.8
Pandora FMS v765 - Stored Cross-Site Scripting in Network Map Name
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once created, admin user must click on the edit network maps and XSS payload will be executed, which could be used for stealing admin users cookie value.
CVSS 6.1
Xiongmai NBD6808T-PL and MBD6304T Firmware - Unauthenticated Remote Code Execution via URI Buffer Overflow
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow an unauthenticated and remote user to exploit a stack-based buffer overflow and crash the web server, resulting in a system reboot. An unauthenticated and remote attacker can execute arbitrary code by sending a crafted HTTP request that triggers the overflow condition via a long URI passed to a sprintf call. NOTE: this is different than CVE-2018-10088, but this may overlap CVE-2017-16725.
CVSS 9.8
Tenda W30E V1.0.1.25(633) - Stack Overflow via PPPOEPassword Parameter
Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the PPPOEPassword parameter at /goform/QuickIndex.
CVSS 7.5
SCHLIX CMS 2.2.7-2 - Authenticated Arbitrary File Upload via tristao Parameter
Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.
CVSS 8.8
APSystems ECU-R Firmware 5203 - Unauthenticated OS Command Injection via Timezone Parameter
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
CVSS 9.8
Arris TG2482A Firmware <= 9.1.103GEM9 - Remote Code Execution via Ping Utility
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.
CVSS 8.8
Doctor Appointment Management System 1.0.0 - Cross-Site Scripting
Doctor Appointment Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability.
CVSS 6.1
Doctor Appointment Management System 1.0.0 - Cross-Site Scripting via Employee ID Parameter
A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Employee ID parameter.
CVSS 6.1
starsoftcomm CooCare < 5.364 - Privilege Escalation via Crafted File Upload
starsoftcomm CooCare 5.304 allows local attackers to escalate privileges and execute arbitrary commands via a crafted file upload.
CVSS 7.8
Alinto SOGo < 5.8.0 - Cross-Site Scripting in Identity Handler
A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960.
CVSS 3.5
x-man 1.0 - SQL Injection
X-Man 1.0 has a SQL injection vulnerability, which can cause data leakage.
CVSS 7.5
By Source