Exploitdb Exploits
50,076 exploits tracked across all sources.
8 TOTOLINK Router Models - Backdoor Access / Remote Code Execution
by Pierre Kim
4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting
by Pierre Kim
Kaseya Virtual System Administrator 7.x < 7.0.0.29, 8.x < 8.0.0.18, 9.0 < 9.0.0.14, 9.1 < 9.1.0.4 - Open Redirect
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
by Pedro Ribeiro
Joomla! Component com_docman - Multiple Vulnerabilities
by Hugo Santiago
pimcore < build 3473 - Authenticated Path Traversal and Arbitrary File Write via Admin Asset Compatibility Endpoint
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility.
by Portcullis
ZOC Terminal Emulator 7 - Quick Connection Crash (PoC)
by SATHISH ARTHAR
Internet Download Manager - Find Download Crash (PoC)
by Mohammad Reza Espargham
Internet Download Manager - '.ief' Crash (PoC)
by Mohammad Reza Espargham
sysPass < 1.0.9 - Authenticated SQL Injection via Search Parameter
SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php.
by SySS GmbH
SquirrelMail <= 1.4.4 - Remote Code Execution via Extract Function
options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.
by GulfTech Security
Free Reprintables ArticleFR 3.0.6 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to dashboard/settings/links/, or (4) url parameter to dashboard/tools/pingservers/.
by LiquidWorm
soplanning < 1.32 - Path Traversal via URL Path Parameter
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
by Huy-Ngoc DAU
CVSS 5.3
soplanning < 1.32 - Exposure of Sensitive Information via ICAL Calendar Link
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
by Huy-Ngoc DAU
CVSS 7.5
soplanning < 1.33 - Cross-Site Scripting via nb_mois, mb_ligness, and export.php Debug Parameter
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code.
by Huy-Ngoc DAU
CVSS 5.4
SOPPlanning <1.33 - SQL Injection
Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33.
by Huy-Ngoc DAU
CVSS 9.8
Adobe Flash opaqueBackground Use After Free
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.
by Metasploit
CVSS 9.8
Full Player 8.2.1 - Memory Corruption (PoC)
by SATHISH ARTHAR
zenphoto < 1.4.9 - Cross-Site Request Forgery in admin.php
Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
by Tim Coen
CVSS 6.5
Swim Team plugin <1.44.10777 - Path Traversal
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
by Larry W. Cashdollar
CVSS 5.3
WordPress Plugin CP Contact Form with Paypal 1.1.5 - Multiple Vulnerabilities
by Nitin Venkatesh
soplanning < 1.32 - Authenticated Remote Code Execution via Crafted Database Name
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.
by Huy-Ngoc DAU
CVSS 5.3
By Source