Exploitdb Exploits
50,076 exploits tracked across all sources.
DLink DPH-400SE FRU <2.2.15.8 - Privilege Escalation
An issue in DLINK DPH-400SE FRU 2.2.15.8 allows a remote attacker to escalate privileges via the User Modify function in the Maintenance/Access function component.
by tahaafarooq
CVSS 8.8
Ivanti Avalanche < 6.4.1 - Remote Code Execution via Crafted Message
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.
Thanks to a Researcher at Tenable for finding and reporting.
Fixed in version 6.4.1.
by Robel Campbell
CVSS 9.8
Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
by Waqas Ahmed Faroouqi
WP Statistics <= 13.1.5 - Unauthenticated SQL Injection via current_page_id Parameter
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
by psychoSherlock
CVSS 9.8
SPA-Cart eCommerce CMS 1.9.0.3 - XSS
A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.
by CraCkEr
CVSS 3.5
tdevs hyip_rio 2.1 - Cross-Site Scripting via Profile Settings Avatar Parameter
A vulnerability, which was classified as problematic, has been found in tdevs Hyip Rio 2.1. Affected by this issue is some unknown functionality of the file /user/settings of the component Profile Settings. The manipulation of the argument avatar leads to cross site scripting. The attack may be launched remotely. VDB-237314 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 3.5
CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
by Daniel González
CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
by Daniel González
Credit Lite 1.5.4 - SQL Injection via POST Request Handler
A vulnerability classified as critical was found in Codecanyon Credit Lite 1.5.4. Affected by this vulnerability is an unknown functionality of the file /portal/reports/account_statement of the component POST Request Handler. The manipulation of the argument date1/date2 leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-237511.
by CraCkEr
CVSS 6.3
Blood Donor Management System v1.0 - Stored XSS
by Ehlullah Albayrak
Pi-hole AdminLTE < 5.17 - Unauthenticated Improper Access Control in queryads Endpoint
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
`/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
by kv1to
CVSS 5.3
FileMage Gateway <1.10.8 - Path Traversal
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
by Bryce Raindayzz Harty
CVSS 7.5
User Registration & Login and User Management System With Admin Panel 3.0 - SQL Injection via Admin Username Field
SQL Injection vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to obtain sensitive information via crafted string in the admin user name field on the admin log in page.
by Ashutosh Singh Umath
CVSS 9.8
User Registration & Login System 3.0 - Stored XSS via Registration Form
Cross Site Scripting (XSS) vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to run arbitrary code via fname, lname, email, and contact fields of the user registration page.
by Ashutosh Singh Umath
CVSS 5.4
TSplus Remote Access <16.0.2.14 - Info Disclosure
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.
by shinnai
CVSS 9.8
TSplus Remote Access <16.0.2.14 - Info Disclosure
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.
by shinnai
CVSS 9.8
TSplus Remote Access <16.0.2.14 - Info Disclosure
An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.
by shinnai
CVSS 9.8
Inosoft VisiWin <2022-2.1 - Privilege Escalation
An issue was discovered in Inosoft VisiWin 7 through 2022-2.1 (Runtime RT7.3 RC3 20221209.5). The "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder has weak permissions for Everyone, allowing an attacker to insert a Trojan horse file that runs as SYSTEM. 2024-1 is a fixed version.
by shinnai
CVSS 7.8
PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities
by Kerimcan Ozturk
Global - Multi School Management System Express v1.0- SQL Injection
by Ahmet Ümit BAYRAM
Crypto Currency Tracker < 9.5 - Unauthenticated Admin Registration via User Registration Page
Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.
by 0xBr
CVSS 9.8
By Source