In a web-based environment the most attacked applications are those having direct or indirect relation to internet.

The list of such applications mostly comprised from PDF readers, digital document processors, media players and web browsers, while in case of web-browsers in addition to its internal vulnerabilities, web- browsers may also suffer from vulnerabilities found in installed plug-ins (like ActiveX or Firefox add-ons).

Here are some examples of known vulnerabilities (as named in CVE) and their possible exploitation:

Description Vulnerability CVE identifier
Heap-based buffer overflow in the custom heap management system in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, aka FG-VD-10-005. CVE-2010-1241
Adobe Reader 9.3.1 on Windows does not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message. CVE-2003-0533
SQL injection vulnerability in the HD FLV Player (com_hdflvplayer) component 1.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. CVE-2010-0884
Microsoft Windows Media Player 11 does not properly perform color space conversion, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .AVI file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. CVE-2010-1042
The USB service in VMware Workstation 7.0 before 7.0.1 build 227600 and VMware Player 3.0 before 3.0.1 build 227600 on Windows might allow host OS users to gain privileges by placing a Trojan horse program at an unspecified location on the host OS disk. CVE-2010-1140

Few recent examples show that when it comes to a web browsers and web applications vulnerabilities then even banking structures may become victims of the attackers. Like it happened in 2010 when the front page of the NorthWesternBank web site was injected with the iFrame leading to the client-side exploits and with the Bank of India back in 2007 when the same attack vector was used making its site serving the malware purposes.