header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Vulnerability Type
No results found
SQL Injection (6841)
Buffer Overflow (3830)
Cross-Site Scripting (2498)
Denial of Service (1853)
Remote Code Execution (1494)
Cross-Site Scripting (XSS) (852)
Directory Traversal (841)
Remote File Include (787)
Remote File Inclusion (723)
Privilege Escalation (675)
Authentication Bypass (671)
Local File Inclusion (606)
Information Disclosure (483)
Remote Command Execution (459)
Arbitrary File Upload (427)
Blind SQL Injection (425)
HTML Injection (398)
Cross-Site Request Forgery (384)
Command Injection (349)
Cross-Site Request Forgery (CSRF) (331)
Stack Buffer Overflow (320)
Stack Overflow (304)
Remote SQL Injection (288)
Unquoted Service Path (264)
Memory Corruption (254)
Denial of Service (DoS) (246)
Stored XSS (246)
Local Privilege Escalation (245)
Local File Include (241)
Remote Denial of Service (229)
Use-After-Free (211)
Heap-overflow (201)
Stored Cross-Site Scripting (XSS) (197)
Persistent Cross Site Scripting (187)
Remote Code Execution (RCE) (176)
XSS (169)
Stack-Based Buffer Overflow (165)
Remote Buffer Overflow (146)
Format String Vulnerability (145)
CSRF (142)
Path Traversal (136)
Integer Overflow (135)
Arbitrary Code Execution (134)
Code Execution (134)
Remote File Disclosure (127)
Input Validation (125)
SQL Injection and Cross Site Scripting (123)
Stored Cross Site Scripting (117)
Command Execution (115)
Insecure Cookie Handling (113)
CWE
No results found
89 (8351)
79 (5937)
119 (4722)
78 (2037)
22 (1944)
98 (1882)
N/A (1389)
200 (1304)
400 (1281)
264 (1205)
287 (1099)
352 (1097)
120 (1032)
94 (1031)
20 (1026)
Unknown (897)
434 (850)
269 (267)
416 (254)
284 (219)
121 (196)
134 (187)
190 (149)
399 (138)
611 (120)
426 (115)
476 (110)
Buffer Overflow (110)
120 (Buffer Copy without Checking Size of Input) (104)
362 (95)
125 (92)
601 (87)
428 (86)
843 (86)
502 (85)
787 (84)
798 (79)
122 (77)
427 (73)
Not mentioned (70)
522 (65)
Not provided (59)
80 (55)
259 (54)
918 (44)
113 (40)
285 (40)
613 (39)
614 (37)
None (35)
CPE
No results found
N/A (12110)
Unknown (758)
None (168)
Not mentioned (160)
a:microsoft:internet_explorer (139)
o:microsoft:windows (132)
Not provided (121)
o:linux:linux_kernel (97)
Not Specified (90)
a:joomla:joomla (72)
Not Available (52)
a:wordpress:wordpress (49)
o:apple:mac_os_x (47)
o:freebsd:freebsd (44)
o:microsoft:windows_xp (37)
a:mozilla:firefox (35)
a:php:php (34)
o:microsoft:windows_2000 (34)
a:google:chrome (31)
o:sun:solaris (27)
o:microsoft:windows_2000::sp4 (25)
a:microsoft:iis (23)
a:wireshark:wireshark (23)
a:adobe:flash_player (22)
a:apple:safari (22)
o:microsoft:windows_7 (22)
a:apache:tomcat (21)
o:microsoft:windows_xp::sp2 (18)
a:invision_power_services:invision_power_board (16)
o:microsoft:windows_xp::sp3 (16)
o:sgi:irix (16)
a:apple:quicktime (15)
a:samba:samba (15)
a:mybb:mybb (14)
a:mysql:mysql (14)
a:phpnuke:php-nuke (14)
a:videolan:vlc_media_player (14)
a:cpanel:cpanel (13)
a:microsoft:windows_media_player (13)
a:openemr:openemr (13)
a:opera_software:opera (13)
Solaris (13)
2.0 (12)
a:freepbx:freepbx (12)
a:oracle:virtualbox (12)
a:php:php:5.0.0 (12)
apple:safari (12)
o:cisco:ios (12)
o:google:android (12)
o:hp:hp-ux (12)
Vendor
No results found
N/A (3323)
Microsoft (1764)
WordPress (672)
Unknown (576)
Joomla! (539)
Apple (448)
Sourcecodester (363)
Oracle (319)
IBM (254)
Adobe (242)
Apache (242)
Linux (228)
Cisco (194)
HP (178)
PHP (170)
Mozilla (164)
Google (163)
Sun (141)
D-Link (140)
Novell (125)
Inc (107)
PHPGurukul (106)
Symantec (100)
PHP-Nuke (92)
ManageEngine (91)
Codecanyon (88)
XOOPS (87)
GNU (84)
Ltd. (84)
MyBB (83)
PHP Script Small (83)
phpBB (79)
SAP (76)
FreeBSD (73)
Sun Microsystems (69)
NETGEAR (68)
Not mentioned (68)
SourceForge (67)
vBulletin (64)
Hewlett Packard (61)
TP-Link (60)
Trend Micro (60)
Wireshark (58)
McAfee (57)
Mambo (56)
IPSwitch (54)
Itechscripts (53)
VMware (52)
VideoLAN (51)
e107 (50)
Product Name
No results found
N/A (695)
Internet Explorer (307)
Windows (303)
Linux Kernel (183)
PHP (172)
Unknown (140)
Firefox (115)
Solaris (113)
Joomla (107)
Mac OS X (96)
Flash Player (90)
Windows XP (88)
WordPress (87)
CMS (71)
Safari (65)
Chrome (62)
FreeBSD (57)
vBulletin (57)
Windows 7 (57)
Wireshark (55)
Kernel (54)
PHP-Nuke (54)
MySQL (52)
phpBB (51)
VLC media player (50)
Windows 2000 (50)
Windows 10 (49)
MyBB (48)
IIS (46)
Winamp (45)
AIX (44)
iOS (43)
macOS (40)
Android (38)
Opera (38)
Oracle Database (38)
Tomcat (38)
Windows Media Player (38)
Invision Power Board (37)
Samba (37)
Irix (35)
PHP-Fusion (35)
Linux (33)
phpMyAdmin (33)
osCommerce (32)
RealPlayer (32)
Apache HTTP Server (31)
ProFTPD (31)
Chromium (30)
OpenEMR (30)
Version
From
No results found
N/A (6626)
Unknown (1792)
1 (961)
1.0 (901)
3.1 (726)
1.1 (323)
2 (285)
All versions (234)
1.2 (223)
2.0 (221)
2.1 (175)
3 (157)
1.5 (150)
1.3 (146)
1.0.0 (142)
2.2 (140)
All (119)
1.0.1 (106)
1.4 (100)
v1.0 (98)
0.1 (95)
3.0 (95)
2.5 (94)
4 (90)
1.0.2 (84)
not specified (82)
2.3 (81)
1.6 (74)
Not mentioned (73)
< 3.2 (70)
2.0.0 (70)
6 (68)
5 (64)
1.0.3 (62)
1.7 (61)
3.3 (59)
2.0.1 (57)
2.4 (57)
Windows 7 (57)
1.8 (53)
3.5 (51)
Windows 2000 (51)
0.2 (50)
3.0.0 (48)
Not provided (48)
2.6 (46)
1.0.4 (45)
2.0.2 (45)
4.0 (45)
4.2 (45)
To
No results found
N/A (7012)
Unknown (2684)
1.0 (858)
1 (796)
3.5-RC7 (386)
1.1 (310)
2 (250)
1.2 (247)
2.0 (229)
All versions (221)
2.1 (153)
Not mentioned (153)
3 (152)
1.5 (142)
1.3 (131)
2.2 (129)
not specified (127)
All (118)
Other versions may also be affected. (114)
1.0.0 (111)
1.0.1 (97)
v1.0 (95)
1.0.2 (92)
2.5 (91)
3.0 (91)
1.4 (89)
3.1 (89)
0.1 (83)
Prior versions (79)
Not provided (78)
4 (77)
2.3 (75)
1.6 (72)
5 (66)
1.7 (63)
3.2 (63)
1.0.3 (61)
6 (59)
3.3 (57)
2.4 (56)
Windows 10 (55)
1.8 (54)
2.0.1 (54)
3.5 (49)
None (48)
2.0.2 (47)
2.6 (46)
4.0 (45)
4.2 (45)
0.2 (43)
Severity Type
No results found
HIGH (33263)
MEDIUM (4679)
N/A (2324)
CRITICAL (1705)
LOW (287)
Severity Number
No results found
7.5 (16267)
7 (7608)
5 (6608)
8 (3345)
N/A (2741)
9 (2195)
8.8 (1966)
5.5 (1836)
3 (1433)
9.8 (995)
Exploit Author
No results found
SecurityFocus (6696)
Unknown (2432)
Ihsan Sencan (887)
Gjoko 'LiquidWorm' Krstic (361)
Anonymous (353)
Project Zero (308)
milw0rm.com (271)
juan vazquez (245)
rgod (243)
LiquidWorm (222)
MC (202)
ajann (187)
Luigi Auriemma (187)
N/A (187)
Google Security Research (183)
indoushka (182)
shinnai (162)
sinn3r (154)
hdm (138)
John Page (aka hyp3rlinx) (131)
jduck (121)
cr4wl3r (113)
Hussin X (113)
Not mentioned (111)
Vulnerability Laboratory Research Team (108)
ZoRLu (99)
Kacper (a.k.a Rahim) (92)
nu11secur1ty (91)
mr_me (90)
Easy Laster (89)
CWH Underground (88)
S@BUN (84)
SirGod (83)
Ahmet Ümit BAYRAM (80)
High-Tech Bridge Security Research Lab (80)
xoron (80)
Dr_IDE (78)
Sid3^effects aKa haRi (78)
Todor Donev (75)
hyp3rlinx (74)
Stack (73)
Francis Provencher (71)
High-Tech Bridge SA - Ethical Hacking & Penetration Testing (70)
Ismail Tasdelen (70)
AntiSecurity (69)
His0k4 (68)
Kingcope (65)
ThE g0bL!N (65)
Not Specified (64)
Miroslav Stampar (61)
Platforms Tested
No results found
N/A (12658)
Windows (4998)
Linux (3440)
None (1839)
Mac (981)
Unknown (939)
Windows XP SP3 (683)
WiN7_x64/KaLiLinuX_x64 (546)
Windows 10 (529)
unix (487)
Windows 7 (410)
Kali Linux (332)
PHP (305)
Kali linux X64 (296)
Win7 x64 (276)
Windows XP SP2 (267)
Windows XP (233)
WordPress (196)
iOS (151)
All (142)
Not mentioned (132)
macOS (126)
Ubuntu (120)
Microsoft Windows (117)
Not Specified (106)
Solaris (105)
Apache (99)
Windows 7 x64 (98)
Android (96)
Xampp (91)
FreeBSD (90)
Windows 10 Pro x64 es (80)
Mac OS X (78)
Windows 2000 (77)
Windows 10 x64 (73)
Ubuntu 18.04 (72)
Windows 7 SP1 (70)
Windows Vista (70)
Not provided (69)
Windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu) (68)
Windows 7 x86 (67)
Windows XP SP3 EN (62)
Kali Linux 2.0 (59)
Windows 10 Pro (59)
Windows XP Professional SP2 (59)
Debian (55)
Linux & Windows (55)
Windows XP Professional SP2 with Internet Explorer 7 (53)
Java (51)
Microsoft Windows XP Professional SP3 (EN) (50)
Year
Year
No results found
2008 (3443)
2009 (3242)
2020 (2781)
Unknown (2618)
2010 (2541)
2002 (2329)
2006 (2050)
2012 (1810)
2005 (1774)
2018 (1744)
2017 (1739)
2007 (1560)
2011 (1328)
2013 (1295)
2019 (1295)
2016 (1130)
2015 (1109)
2021 (1104)
2014 (995)
2023 (733)
2004 (529)
2022 (474)
2001 (444)
2003 (387)
2000 (238)
N/A (178)
2024 (155)
Not mentioned (138)
1999 (136)
Not provided (89)
Not Specified (89)
1998 (72)
1997 (48)
1996 (16)
Not available (9)
HIGH (6)
None (6)
[date] (4)
2005-2006 (4)
0day (3)
1994 (3)
Discovered in 2020 (3)
Found in 2020 (3)
MEDIUM (3)
TBD (3)
1988 (2)
2003-2004 (2)
2004-2019 (2)
2006-2007 (2)
2009/2010 (2)

Explore all Exploits:

Integer Overflow in Lowerer::LowerSetConcatStrMultiItem Method

The method Lowerer::LowerSetConcatStrMultiItem is used to generate machine code to concatenate strings. At (a), there's no check for integer overflow. Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug. The proof of concept code creates a string of length 0x10000 and then concatenates it with a string of length 0x10000, resulting in an integer overflow.

WordPress Download Manager [CSRF]

Plugin implements the AJAX action `wpdm-install-addon` which calls the function `wpdm_install_addon`. This function doesn't take any anti-CSRF measures thus making it susceptible to those kind of attacks. What is interesting about this function though, is the fact that it provides plugin installation functionality for admin users. The origin of the package is defined by the `$_REQUEST['addon']` if is set without any validation. A malicious actor can exploit this to install a malicious plugin in the vulnerable site. In fact the install package doesn't need to be a valid plugin, it could just contain malicious code. Because the package is extracted in the `/wp-content/plugins/` dir without changing it's original folder structure, an attacker could leverage the CSRF to upload malicious code and execute the code on the infected server.

Admin Menu Tree Page View [CSRF, Privilege Escalation]

Plugin implements AJAX action `admin_menu_tree_page_view_add_page` which calls back the function `admin_menu_tree_page_view_add_page`. The later does not implement any anti-CSRF controls or security checks. Leveraging a CSRF attack an attacker could perform a Persistent XSS attack if the victim has administrative rights (see PoC). The AJAX action is a privileged one so it's only available for registered users. Even so it doesn't implement any capabilities checks so it's available to all users no matter the access level. This could allow any registered user to create arbitrary posts no matter the access level.

CMS Tree Page View [CSRF, Privilege Escalation]

Plugin implements AJAX action `cms_tpv_add_page` which calls back the function `cms_tpv_add_page`. The later does not implement any anti-CSRF controls or security checks. Leveraging a CSRF attack an attacker could perform a Persistent XSS attack if the victim has administrative rights (see PoC). The AJAX action is a privileged one so it's only available for registered users. Even so it doesn't implement any capabilities checks so it's available to all users no matter the access level. This could allow any registered user to create arbitrary posts no matter the access level.

Social Media Widget by Acurax [CSRF]

Plugin implements AJAX action `acx_asmw_saveorder` which calls back the function `acx_asmw_saveorder_callback`. The later does not implement any anti-CSRF controls thus allowing a malicious actor to perform an attack that could update plugin specific option `social_widget_icon_array_order`. Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will be served when a user with the right privileges visits plugin's settings page (`wp-admin/admin.php?page=Acurax-Social-Widget-Settings`).

Uninitialized Kernel Pool Memory Disclosure

A vulnerability in the nt!NtQuerySystemInformation system call with the 138 information class can be exploited to disclose portions of uninitialized kernel pool memory to user-mode clients. The issue is caused by the internal nt!ExpQueryMemoryTopologyInformation function not properly initializing the output buffer. On Windows 10 version 1709 32-bit systems, the output size is 0x70 (112) bytes and 12 bytes in three 4-byte chunks of consecutive memory are not properly initialized and contain leftover data from the kernel pool. The issue can be reproduced by running a proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe.

Chakra fails to detect if “tmp” escapes the scope

Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. The proof of concept code shows that when the function opt() is called, the variable tmp is allocated to the stack and when the function main() is called, the variable tmp is dereferenced which leads to uninitialized stack values.

Recent Exploits:

cqrsecured