Skip to main content
CVE-2016-6600 CRITICAL POC THREAT Emergency

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.6%.

Path Traversal File Upload Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
90.6%
Threat
6.2
CVE-2016-4010 CRITICAL POC PATCH THREAT Act Now

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 86.9%.

RCE Adobe PHP Magento
NVD Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
86.9%
Threat
6.1
CVE-2016-6601 HIGH POC THREAT Act Now

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.8%.

Path Traversal Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
7.5
EPSS
92.8%
Threat
5.8
CVE-2016-6603 CRITICAL POC THREAT Emergency

ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 70.3%.

Authentication Bypass Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
70.3%
Threat
5.6
CVE-2016-6602 CRITICAL POC THREAT Emergency

ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 47.8%.

Information Disclosure Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
47.8%
Threat
4.9
CVE-2016-4338 HIGH POC THREAT Act Now

The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 45.0%.

RCE SQLi Zabbix
NVD Exploit-DB VulDB
CVSS 3.0
8.1
EPSS
45.0%
Threat
4.5
CVE-2016-7567 CRITICAL POC PATCH THREAT Act Now

Buffer overflow in the SLPFoldWhiteSpace function in common/slp_compare.c in OpenSLP 2.0 allows remote attackers to have unspecified impact via a crafted string. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.8%.

Buffer Overflow Openslp
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
10.8%
CVE-2016-2242 CRITICAL POC Act Now

Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Exponent Cms
NVD VulDB
CVSS 3.0
9.8
EPSS
9.6%
CVE-2016-5873 CRITICAL POC PATCH Act Now

Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow RCE Pecl Http
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
4.7%
CVE-2015-8972 CRITICAL POC PATCH Act Now

Stack-based buffer overflow in the ValidateMove function in frontend/move.cc in GNU Chess (aka gnuchess) before 6.2.4 might allow context-dependent attackers to execute arbitrary code via a large. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow RCE Chess
NVD VulDB
CVSS 3.1
9.8
EPSS
2.4%
CVE-2016-6517 CRITICAL POC Act Now

Directory traversal vulnerability in Liferay 5.1.0 allows remote attackers to have unspecified impact via a %2E%2E (encoded dot dot) in the minifierBundleDir parameter to barebone.jsp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Liferay
NVD VulDB
CVSS 3.0
9.8
EPSS
1.3%
CVE-2015-8857 CRITICAL POC PATCH Act Now

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Uglifyjs
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2016-1417 HIGH POC This Week

Untrusted search path vulnerability in Snort 2.9.7.0-WIN32 allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse tcapi.dll that is located in the same. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Snort
NVD VulDB
CVSS 3.0
8.8
EPSS
4.3%
CVE-2016-4340 HIGH POC PATCH This Week

The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Gitlab Privilege Escalation
NVD Exploit-DB VulDB
CVSS 3.0
8.8
EPSS
2.5%
CVE-2016-0769 HIGH POC This Week

Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi PHP Eshop Plugin
NVD VulDB
CVSS 3.0
8.8
EPSS
2.1%
CVE-2016-4793 HIGH POC PATCH This Week

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cakephp
NVD Exploit-DB VulDB
CVSS 3.0
7.5
EPSS
8.3%
CVE-2016-7792 HIGH POC This Week

Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the database by directly connecting to it. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Authentication Bypass Unifi Ap Ac Lite Firmware
NVD VulDB
CVSS 3.0
8.8
EPSS
0.9%
CVE-2016-6521 HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Grails
NVD GitHub VulDB
CVSS 3.0
8.8
EPSS
0.3%
CVE-2016-10156 HIGH POC PATCH This Week

A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Privilege Escalation Systemd
NVD GitHub Exploit-DB VulDB
CVSS 3.0
7.8
EPSS
0.7%
CVE-2016-1281 HIGH POC PATCH This Week

Untrusted search path vulnerability in the installer for TrueCrypt 7.2 and 7.1a, VeraCrypt before 1.17-BETA, and possibly other products allows local users to execute arbitrary code with. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Truecrypt Veracrypt
NVD VulDB
CVSS 3.0
7.8
EPSS
0.2%
CVE-2015-8858 HIGH POC PATCH This Week

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Uglifyjs
NVD VulDB
CVSS 3.0
7.5
EPSS
0.9%
CVE-2015-8315 HIGH POC PATCH This Week

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Ms Vercel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2016-5119 HIGH POC PATCH This Week

The automatic update feature in KeePass 2.33 and earlier allows man-in-the-middle attackers to execute arbitrary code by spoofing the version check response and supplying a crafted update. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Keepass
NVD VulDB
CVSS 3.0
7.5
EPSS
0.3%
CVE-2015-4626 HIGH POC This Week

B.A.S C2Box before 4.0.0 (r19171) relies on client-side validation, which allows remote attackers to "corrupt the business logic" via a negative value in an overdraft. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure C2Box
NVD VulDB
CVSS 3.0
7.5
EPSS
0.2%
CVE-2016-3147 CRITICAL Act Now

Buffer overflow in the collector.exe listener of the Landesk Management Suite 10.0.0.271 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Denial Of Service Landesk Management Suite
NVD VulDB
CVSS 3.1
9.8
EPSS
7.6%
CVE-2016-4055 MEDIUM POC PATCH This Month

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Node.js Moment Nessus Primavera Unifier
NVD VulDB
CVSS 3.1
6.5
EPSS
2.7%
CVE-2016-4484 MEDIUM POC PATCH This Month

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Debian Authentication Bypass Cryptsetup
NVD VulDB
CVSS 3.0
6.8
EPSS
0.5%
CVE-2017-5539 CRITICAL PATCH Act Now

The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal B2Evolution
NVD GitHub VulDB
CVSS 3.0
9.1
EPSS
7.4%
CVE-2015-7743 MEDIUM POC This Month

XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Prtg Network Monitor
NVD VulDB
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-5574 CRITICAL PATCH Act Now

SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows unauthenticated users to execute arbitrary SQL commands via the activation parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Genixcms
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
3.4%
CVE-2014-8362 CRITICAL Act Now

Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable and disable the alarm system and modify other security settings via the Web-enabled interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Sky Control Panel Firmware
NVD VulDB
CVSS 3.0
9.8
EPSS
2.7%
CVE-2016-2783 CRITICAL Act Now

Avaya Fabric Connect Virtual Services Platform (VSP) Operating System Software (VOSS) before 4.2.3.0 and 5.x before 5.0.1.0 does not properly handle VLAN and I-SIS indexes, which allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Vsp Operating System Software
NVD VulDB
CVSS 3.0
9.8
EPSS
2.5%
CVE-2014-9772 MEDIUM POC PATCH This Month

The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node.js Node Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.4%
CVE-2016-4056 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Typo3
NVD VulDB
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-0765 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page or (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP Eshop Plugin
NVD VulDB
CVSS 3.0
6.1
EPSS
0.3%
CVE-2015-8862 MEDIUM POC PATCH This Month

mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node.js Mustache Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.1%
CVE-2017-5569 CRITICAL Act Now

An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Patient Portal
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
1.4%
CVE-2016-5742 CRITICAL Act Now

SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Movable Type Movable Type Open Source
NVD VulDB
CVSS 3.0
9.8
EPSS
1.0%
CVE-2016-1925 CRITICAL Act Now

Integer underflow in header.c in lha allows remote attackers to have unspecified impact via a large header size value for the (1) level0 or (2) level1 header in a lha archive, which triggers a buffer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Lha For Unix
NVD VulDB
CVSS 3.0
9.8
EPSS
0.9%
CVE-2016-6164 CRITICAL Act Now

Integer overflow in the mov_build_index function in libavformat/mov.c in FFmpeg before 2.8.8, 3.0.x before 3.0.3 and 3.1.x before 3.1.1 allows remote attackers to have unspecified impact via vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Ffmpeg
NVD VulDB
CVSS 3.0
9.8
EPSS
0.9%
CVE-2017-5575 CRITICAL PATCH Act Now

SQL injection vulnerability in inc/lib/Options.class.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the modules parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Genixcms
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
0.7%
CVE-2016-3177 CRITICAL PATCH Act Now

Multiple use-after-free and double-free vulnerabilities in gifcolor.c in GIFLIB 5.1.2 have unspecified impact and attack vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Giflib
NVD VulDB
CVSS 3.0
9.8
EPSS
0.5%
CVE-2016-10157 CRITICAL Act Now

Akamai NetSession 1.9.3.1 is vulnerable to DLL Hijacking: it tries to load CSUNSAPI.dll without supplying the complete path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Netsession Akamai
NVD VulDB
CVSS 3.0
9.8
EPSS
0.4%
CVE-2016-7036 CRITICAL PATCH Act Now

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Python Jose
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
0.4%
CVE-2016-9081 CRITICAL PATCH Act Now

Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Joomla
NVD VulDB
CVSS 3.0
9.8
EPSS
0.2%
CVE-2016-7410 MEDIUM POC This Month

The _dwarf_read_loc_section function in dwarf_loc.c in libdwarf 20160613 allows attackers to cause a denial of service (buffer over-read) via a crafted file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Information Disclosure Libdwarf
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2016-6223 CRITICAL PATCH Act Now

The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in libtiff before 4.0.7 allows remote attackers to cause a denial of service (crash) or possibly obtain sensitive information via a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Libtiff
NVD VulDB
CVSS 3.0
9.1
EPSS
1.2%
CVE-2016-6582 CRITICAL PATCH Act Now

The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Doorkeeper
NVD GitHub VulDB
CVSS 3.0
9.1
EPSS
0.6%
CVE-2016-9012 HIGH This Week

CloudVision Portal (CVP) before 2016.1.2.1 allows remote authenticated users to gain access to the internal configuration mechanisms via the management plane, related to a request to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Cloudvision Portal
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-5563 HIGH This Week

LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure Libtiff
NVD VulDB
CVSS 3.0
8.8
EPSS
0.4%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy