Exploitdb Exploits
50,121 exploits tracked across all sources.
Zomplog 3.9 - XSS
Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.
by Mirabbas Ağalarov
CVSS 5.4
Mremoteng < 1.76.20 - Cleartext Storage
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
by Maximilian Barz
CVSS 7.5
Greenshot <1.2.10 - Code Injection
Greenshot 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened.
by p4r4bellum
CVSS 7.8
copyparty <1.8.7 - XSS
copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue.
by Vartamtezidis Theodoros
CVSS 6.3
copyparty 1.8.2 - Directory Traversal
by Vartamtezidis Theodoros
AN_GradeBook <5.0.1 - SQL Injection
The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber
by Lukas Kinneberg
CVSS 8.8
RosarioSIS 10.8.4 - Code Injection
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
by Ranjeet Jaiswal
CVSS 5.4
October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)
by Okan Kurtulus
mooSocial mooDating 1.2 - XSS
A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-235200. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
by CraCkEr
CVSS 3.5
Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
by Andrey Stoykov
Keeper Password Manager <17.2 - Info Disclosure
An issue was discovered in Keeper Password Manager for Desktop version 16.10.2 (fixed in 17.2), and the KeeperFill Browser Extensions version 16.5.4 (fixed in 17.2), allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information).
by H4rk3nz0
CVSS 5.5
Perch CMS 3.2 - XSS
Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks.
by Mirabbas Ağalarov
CVSS 5.4
Perch CMS 3.2 - RCE
Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server.
by Mirabbas Ağalarov
CVSS 7.2
Wifi-soft Unibox Administration - SQL Injection
Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.
by Ansh Jain
CVSS 9.8
Netgate pfSense <2.7.0 - Command Injection
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.
by Emir Polat
CVSS 8.8
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
by Vulnerability-Lab
PaulPrinting CMS - (Search Delivery) Cross Site Scripting
by Vulnerability-Lab
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities
by Vulnerability-Lab
Aures Booking & POS Terminal - Local Privilege Escalation
by Vulnerability-Lab
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
by Vulnerability-Lab
RWS WorldServer <11.7.3 - Info Disclosure
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
by RedTeam Pentesting GmbH
CVSS 5.3
By Source