Exploitdb Exploits
50,123 exploits tracked across all sources.
MicroWorld eScan Management Console <14.0.1400.2281 - SQL Injection
SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.
by Sahil Ojha
CVSS 7.2
Microworld Technologies eScan <14.0.1400.2281 - XSS
Cross Site Scripting (XSS) in the edit user form in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the from parameter.
by Sahil Ojha
CVSS 9.0
MobileTrans <4.0.11 - Privilege Escalation
Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file.
by Thurein Soe
CVSS 7.8
WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
by Wadeek
Webkul Qloapps - XSS
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
by Astik Rawat
CVSS 6.1
Stackposts Social Marketing Tool v1.0 - SQL Injection
by Ahmet Ümit BAYRAM
GetSimple CMS <3.3.16 - RCE
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
by Youssef Muhammad
CVSS 9.8
Civicrm - XSS
Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.
by Andrea Intilangelo
CVSS 5.4
ChurchCRM <4.5.4 - XSS
ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.
by Rahad Chowdhury
CVSS 4.8
Bludit v3.14.1 - XSS
Bludit v3.14.1 is vulnerable to Stored Cross Site Scripting (XSS) via SVG file on site logo. NOTE: the product's security model is that users are trusted by the administrator to insert arbitrary content (users cannot create their own accounts through self-registration).
by Rahad Chowdhury
CVSS 5.4
Best POS Management System v1.0 - Unauthenticated Remote Code Execution
by Mesut Cetin
Papercut MF < 20.1.7 - Improper Access Control
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
by MaanVader
CVSS 9.8
Squarepiginteractive Fusioninvoice - XSS
Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionInvoice 2023-1.0, allows attackers to execute arbitrary code via the description or content fields to the expenses, tasks, and customer details.
by Andrea Intilangelo
CVSS 6.1
Apache Superset Signed Cookie Priv Esc
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like:
SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>
Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
by MaanVader
CVSS 8.9
Yank Note <3.52.1 - RCE
Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').
by 8bitsec
CVSS 8.8
Gin 0.7.4 - RCE
Gin 0.7.4 allows execution of arbitrary code when a crafted file is opened, e.g., via require('child_process').
by 8bitsec
CVSS 7.8
PnPSCADA - SQL Injection
The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data, highlighting the severity of this vulnerability.
by Momen Eldawakhly
CVSS 9.8
Screen SFT DAB 600/C - Authentication Bypass Account Creation
by LiquidWorm
Optoma 1080pstx - Authentication Bypass
An authentication bypass in Optoma 1080PSTX C02 allows an attacker to access the administration console without valid credentials.
by Anthony Cole
CVSS 9.8
TinyWebGallery v2.5 - XSS
TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.
by Mirabbas Ağalarov
CVSS 5.4
By Source