CraCkEr

101 exploits Active since Mar 2007
CVE-2008-5943 EXPLOITDB text WRITEUP
NavBoard 16 (2.6.0) - Path Traversal
Multiple directory traversal vulnerabilities in NavBoard 16 (2.6.0) allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to (1) admin_modules.php and (2) modules.php.
CVE-2009-2611 EXPLOITDB text WORKING POC
MyFusion 6 Beta - Path Traversal and Arbitrary File Execution via settings[locale] Parameter
Directory traversal vulnerability in infusions/last_seen_users_panel/last_seen_users_panel.php in MyFusion (aka MyF) 6 Beta, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the settings[locale] parameter.
CVE-2023-4173 EXPLOITDB LOW text WORKING POC
mooSocial mooStore 3.1.6 - Cross-Site Scripting via Search Query Parameter
A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-236208.
CVSS 3.5
CVE-2023-3849 EXPLOITDB LOW text WORKING POC
mooSocial mooDating 1.2 - Cross-Site Scripting in URL Handler
A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-235200. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
CVSS 3.5
CVE-2008-2974 EXPLOITDB text WRITEUP
MM Chat 1.5 - Path Traversal via currentlang Parameter
Directory traversal vulnerability in chatconfig.php in MM Chat 1.5, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the currentlang parameter.
CVE-2008-2888 EXPLOITDB text WORKING POC
MiGCMS 2.0.5 - Remote Code Execution via GLOBALS[application][app_root] Parameter
Multiple PHP remote file inclusion vulnerabilities in MiGCMS 2.0.5, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[application][app_root] parameter to (1) collection.class.php and (2) content_image.class.php in lib/obj/.
CVE-2025-2126 EXPLOITDB MEDIUM text WORKING POC
JoomlaUX JUX Real Estate 3.4.0 - SQL Injection
A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla and classified as critical. This issue affects some unknown processing of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties of the component GET Parameter Handler. The manipulation of the argument title leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
CVE-2023-4382 EXPLOITDB LOW text WORKING POC
tdevs hyip_rio 2.1 - Cross-Site Scripting via Profile Settings Avatar Parameter
A vulnerability, which was classified as problematic, has been found in tdevs Hyip Rio 2.1. Affected by this issue is some unknown functionality of the file /user/settings of the component Profile Settings. The manipulation of the argument avatar leads to cross site scripting. The attack may be launched remotely. VDB-237314 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.5
CVE-2008-1609 EXPLOITDB text WORKING POC
jaf_cms 4.0 RC2 - Remote Code Execution via URL Parameter Injection
Multiple PHP remote file inclusion vulnerabilities in just another flat file (JAF) CMS 4.0 RC2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) website parameter to (a) forum.php, (b) headlines.php, and (c) main.php in forum/, and (2) main_dir parameter to forum/forum.php. NOTE: other main_dir vectors are already covered by CVE-2006-7127.
EIP-2026-107759 EXPLOITDB text WORKING POC
IDMOS 1.0 - 'site_absolute_path' Multiple Remote File Inclusions
CVE-2008-1074 EXPLOITDB text WORKING POC
GROUP-E 1.6.41 - Remote Code Execution via CFG[PREPEND_FILE] Parameter
PHP remote file inclusion vulnerability in lib/head_auth.php in GROUP-E 1.6.41 allows remote attackers to execute arbitrary PHP code via a URL in the CFG[PREPEND_FILE] parameter.
CVE-2008-2982 EXPLOITDB text WORKING POC
HomePH Design 2.10 RC2 - Path Traversal via Multiple Parameters
Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.
CVE-2008-6740 EXPLOITDB text WORKING POC
HoMaP-CMS 0.1 - Remote Code Execution via _settings[pluginpath] Parameter
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
CVE-2008-2898 EXPLOITDB text WORKING POC
hedgehog-cms 1.21 - Path Traversal and Arbitrary File Execution via c_temp_path Parameter
Directory traversal vulnerability in includes/header.php in Hedgehog-CMS 1.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the c_temp_path parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
EIP-2026-107543 EXPLOITDB text WORKING POC
GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)
CVE-2008-6636 EXPLOITDB text WORKING POC
Geody Dagger r12feb2008 - Remote Code Execution via dir_edge_skins Parameter
PHP remote file inclusion vulnerability in skins/default.php in Geody Labs Dagger - The Cutting Edge r12feb2008, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the dir_edge_skins parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-2985 EXPLOITDB text WORKING POC
CMReams CMS 1.3.1.1 Beta 2 - Path Traversal via load_language.php page_language Parameter
Directory traversal vulnerability in load_language.php in CMReams CMS 1.3.1.1 Beta 2, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page_language parameter.
CVE-2023-4407 EXPLOITDB MEDIUM text WORKING POC
Credit Lite 1.5.4 - SQL Injection via POST Request Handler
A vulnerability classified as critical was found in Codecanyon Credit Lite 1.5.4. Affected by this vulnerability is an unknown functionality of the file /portal/reports/account_statement of the component POST Request Handler. The manipulation of the argument date1/date2 leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-237511.
CVSS 6.3
CVE-2008-2877 EXPLOITDB text WORKING POC
cmsWorks 2.2 RC4 - Remote Code Execution via mod_root Parameter
PHP remote file inclusion vulnerability in admin/include/lib.module.php in cmsWorks 2.2 RC4, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mod_root parameter.
CVE-2023-4708 EXPLOITDB MEDIUM text WRITEUP
Clcknshop 1.0.0 - SQL Injection via GET Parameter Handler
A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all of the component GET Parameter Handler. The manipulation of the argument tag leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-238571. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
EIP-2026-105720 EXPLOITDB text WORKING POC
Car Rental Script 1.8 - Stored Cross-site scripting (XSS)
CVE-2009-2183 EXPLOITDB text WORKING POC
Campsite <3.3.0 RC1 - Path Traversal
Directory traversal vulnerability in admin-files/ad.php in Campsite 3.3.0 RC1 allows remote attackers to read and possibly execute arbitrary local files via a .. (dot dot) in the GLOBALS[g_campsiteDir] parameter.
EIP-2026-104899 EXPLOITDB text WRITEUP
Academy LMS 6.2 - SQL Injection
EIP-2026-104874 EXPLOITDB text WRITEUP
A+ PHP Scripts News Management System 0.3 - Multiple Input Validation Vulnerabilities
CVE-2023-4168 EXPLOITDB MEDIUM text WRITEUP
Templatecookie Adlisting 2.14.0 - Information Disclosure in Redirect Handler
A vulnerability was found in Templatecookie Adlisting 2.14.0. It has been classified as problematic. Affected is an unknown function of the file /ad-list of the component Redirect Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-236184. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.3