Felipe Molina

14 exploits Active since Jan 2014
CVE-2020-11699 EXPLOITDB HIGH python WORKING POC
SpamTitan 7.07 - Authenticated Remote Code Execution via certs-x.php fname Parameter
An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page.
CVSS 8.8
CVE-2020-11803 EXPLOITDB HIGH python WORKING POC
SpamTitan 7.07 - Authenticated Remote Code Execution via mailqueue.php jaction Parameter
An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page.
CVSS 8.8
CVE-2015-9496 EXPLOITDB HIGH text WORKING POC
freshmail-newsletter < 1.6 - SQL Injection via FM_form Shortcode
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.
CVSS 8.8
CVE-2020-11698 METASPLOIT CRITICAL ruby WORKING POC
SpamTitan 7.07 - Remote Code Execution via SNMP Community Parameter
An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.
CVSS 9.8
EIP-2026-114140 EXPLOITDB text WRITEUP
WordPress Plugin Ultimate Product Catalogue - SQL Injection (1)
EIP-2026-114141 EXPLOITDB text WRITEUP
WordPress Plugin Ultimate Product Catalogue - SQL Injection (2)
EIP-2026-114142 EXPLOITDB text WORKING POC
WordPress Plugin Ultimate Product Catalogue 3.1.2 - Multiple Persistent Cross-Site Scripting / Cross-Site Request Forgery / Arbitrary File Upload Vulnerabilities
EIP-2026-113733 EXPLOITDB text WORKING POC
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
EIP-2026-113889 EXPLOITDB text WORKING POC
WordPress Plugin Memphis Document Library 3.1.5 - Arbitrary File Download
CVE-2020-11698 EXPLOITDB CRITICAL python WORKING POC
SpamTitan 7.07 - Remote Code Execution via SNMP Community Parameter
An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.
CVSS 9.8
EIP-2026-104497 EXPLOITDB text WRITEUP
WordPress Plugin Freshmail 1.5.8 - SQL Injection
CVE-2020-11804 EXPLOITDB HIGH python WORKING POC
SpamTitan 7.07 - Authenticated Code Injection via mailqueue.php quid Parameter
An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request.
CVSS 8.8
CVE-2019-15083 EXPLOITDB MEDIUM text WORKING POC
ManageEngine ServiceDesk Plus < 10500 - Stored Cross-Site Scripting via Workstation Software Name
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
CVSS 6.1
CVE-2013-7204 EXPLOITDB text WRITEUP
Conceptronic CIPCAMPTIWL Camera 1.0-21.37.2.49 - CSRF
Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Conceptronic CIPCAMPTIWL Camera 1.0 with firmware 21.37.2.49 allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users.