Exploitdb Exploits
50,076 exploits tracked across all sources.
Ninja Forms < 3.6.26 - Unauthenticated Reflected Cross-Site Scripting
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
by Mehran Seifalinia
CVSS 7.1
EventON WordPress Plugin < 2.1.2 - Unauthenticated Insecure Direct Object Reference via event_id Parameter
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
by Miguel Santareno
CVSS 5.3
EventON < 2.1.2 - Unauthenticated Insecure Direct Object Reference via eventon_ics_download AJAX Action
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
by Miguel Santareno
CVSS 5.3
PHPJabbers Taxi Booking 2.0 - Cross-Site Scripting via Index Parameter
A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-235963. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Shuttle Booking Software 1.0 - Cross-Site Scripting in /index.php
A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-235959. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Service Booking Script 1.0 - Cross-Site Scripting via Index Parameter
A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-235960. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHP Jabbers Rental Property Booking 2.0 - Cross-Site Scripting via Index Parameter
A vulnerability, which was classified as problematic, has been found in PHP Jabbers Rental Property Booking 2.0. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235964. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Night Club Booking Software 1.0 - Cross-Site Scripting via Index Parameter
A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting via Index Parameter
A vulnerability classified as problematic has been found in PHP Jabbers Cleaning Business 1.0. Affected is an unknown function of the file /index.php. The manipulation of the argument index leads to cross site scripting. It is possible to launch the attack remotely. VDB-235962 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
Campcodes Online Matrimonial Website System Script <3.3 - XSS
install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.
by Rajdip Dey Sarkar
CVSS 9.8
Adiscon Aiscon LogAnalyzer <4.1.13 - XSS
A Cross Site Scripting (XSS) vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php, details.php, index.php, search.php, export.php, reports.php, and statistics.php components.
by Pedro
CVSS 6.1
Academy LMS 6.0 - Cross-Site Scripting via Query/Sort_By Parameter
A vulnerability has been found in Academy LMS 6.0 and classified as problematic. This vulnerability affects unknown code of the file /academy/home/courses. The manipulation of the argument query/sort_by leads to cross site scripting. The attack can be initiated remotely. VDB-235966 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
by CraCkEr
CVSS 4.3
Shelly 4PM Pro <0.11.0 - Memory Corruption
Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to trigger a BLE out of bounds read fault condition that results in a device reload.
by The Security Team [exploitsecurity.io]
CVSS 5.3
Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links.
by CraCkEr
CVSS 6.1
Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword
Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials.
by CraCkEr
CVSS 6.1
General Device Manager 2.5.2.2 - Buffer Overflow
General Device Manager 2.5.2.2 is vulnerable to Buffer Overflow.
by Ahmet Ümit BAYRAM
CVSS 9.8
Uvdesk 1.1.3 - Unauthenticated Arbitrary File Upload and Remote Code Execution via Image File
An arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file.
by Daniel Barros
CVSS 7.8
Joomla HikaShop 4.7.4 Reflected XSS via Product Filter
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.
by CraCkEr
CVSS 6.1
Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials.
by CraCkEr
CVSS 6.1
Zomplog 3.9 - Remote Code Execution
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload files (such as JavaScript) and rename them to .php via the saveE and rename actions, then execute the resulting PHP payload to run system commands.
by Mirabbas Ağalarov
CVSS 8.8
Zomplog 3.9 - Authenticated Stored Cross-Site Scripting via Page Creation
Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.
by Mirabbas Ağalarov
CVSS 5.4
mRemoteNG <= 1.76.20 and <= 1.77.3-dev - Cleartext Storage of Sensitive Information in Memory
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
by Maximilian Barz
CVSS 7.5
Greenshot < 1.2.10.6 - Remote Code Execution via Insecure .NET Deserialization
Greenshot 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened.
by p4r4bellum
CVSS 7.8
copyparty < 1.8.7 - Reflected Cross-Site Scripting via URL Parameters
copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue.
by Vartamtezidis Theodoros
CVSS 6.3
copyparty 1.8.2 - Directory Traversal
by Vartamtezidis Theodoros
By Source