Exploitdb Exploits
50,121 exploits tracked across all sources.
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
by Kr0ff
CVSS 10.0
djangorestframework-simplejwt <5.3.1 - Info Disclosure
djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.
by Dhrumil Mistry
CVSS 5.5
Openclinic GA - Path Traversal
An issue was discovered in OpenClinic GA 5.247.01. An attacker can perform a directory path traversal via the Page parameter in a GET request to main.do.
by VB
CVSS 7.5
Openclinic GA - Information Disclosure
An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of OpenClinic GA. By changing the AppointmentUid parameter, an attacker can determine whether a specific appointment exists based on the error message.
by VB
CVSS 7.5
Jenkins cli Ampersand Replacement Arbitrary File Read
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
by Matisse Beckandt
CVSS 9.8
Savsoft Quiz 6.0 - XSS
Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter.
by Eren Sen
CVSS 6.1
Compuware iStrobe Web 20.13 - RCE
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint.
by trancap
Stock Management System 1.0 - RCE
SQL Injection vulnerability in Stock Management System 1.0 allows a remote attacker to execute arbitrary code via the id parameter in the manage_bo.php file.
by blu3ming
CVSS 9.8
Phpgurukul Online Fire Reporting System - SQL Injection
A SQL Injection vulnerability exists in the `ofrs/admin/index.php` script of PHPGurukul Online Fire Reporting System 1.2. The vulnerability allows attackers to bypass authentication and gain unauthorized access by injecting SQL commands into the username input field during the login process.
by Diyar Saadi
CVSS 9.1
Terratec DMX_6Fire USB <1.23.0.02 - Privilege Escalation
An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.
by Joseph Kwabena Fiagbor
CVSS 6.7
Ray <2.8.1 - Command Injection
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
by Fire_Wolf
CVSS 9.8
Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)
by Erdemstar
Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)
by Erdemstar
WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)
by tmrswrr
Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter
by Julio Ángel Ferrari
openeclass <3.15 - RCE
File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.
by George Tsimpidas
CVSS 9.8
MinIO - Privilege Escalation
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
by Jenson Zhao
CVSS 8.8
AnyDesk 7.0.15,9.0.1 - Code Injection
AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted service path configuration to inject malicious executables that will be run with high-level system permissions.
by Milad karimi
Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
by Milad karimi
Open Source Medicine Ordering System v1.0 - SQLi
by Onur Karasalihoğlu
Human Resource Management System v1.0 - Multiple SQLi
by nu11secur1ty
By Source