Gjoko 'LiquidWorm' Krstic

684 exploits Active since Nov 2005
CVE-2014-9101 EXPLOITDB text WORKING POC
Oxwall 1.7.0- SkaDate Lite 2.0 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact via the (1) label parameter to admin/users/roles/, (2) lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0] in an AddAccountType action or (3) qst_name parameter in an addQuestion action to admin/questions/ajax-responder/, or (4) form_name or (5) restrictedUsername parameter to admin/restricted-usernames.
CVE-2008-4423 EXPLOITDB text WORKING POC
Ovidentia 6.6.5 - SQL Injection via Item Parameter in Contact Modify Action
SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the item parameter in a contact modify action.
EIP-2026-110000 EXPLOITDB text WORKING POC
NUUO NVRmini 2 3.0.8 - Multiple OS Command Injections
EIP-2026-109999 EXPLOITDB text WRITEUP
NUUO NVRmini 2 3.0.8 - Local File Disclosure
EIP-2026-109998 EXPLOITDB html WORKING POC
NUUO NVRmini 2 3.0.8 - Cross-Site Request Forgery (Add Admin)
EIP-2026-109996 EXPLOITDB text WORKING POC
NUUO NVRmini 2 3.0.8 - 'strong_user.php' Backdoor Remote Shell Access
EIP-2026-109994 EXPLOITDB text WORKING POC
NULL NUKE CMS 2.2 - Multiple Vulnerabilities
CVE-2011-4275 EXPLOITDB php WORKING POC
iTop 1.1.181 and 1.2.0-RC-282 - Cross-Site Scripting via Multiple Input Vectors
Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.
CVE-2014-5100 EXPLOITDB text WORKING POC
Omeka < 2.2.1 - Cross-Site Request Forgery
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security.
EIP-2026-110001 EXPLOITDB python WORKING POC
NUUO NVRmini 2 3.0.8 - Remote Code Execution
EIP-2026-109548 EXPLOITDB text WORKING POC
MODx REvolution CMS 2.0.4-pl2 - POST injection Cross-Site Scripting
EIP-2026-109621 EXPLOITDB text WORKING POC
MTP Poll 1.0 - Multiple Cross-Site Scripting Vulnerabilities
EIP-2026-109620 EXPLOITDB text WORKING POC
MTP Image Gallery 1.0 - 'edit_photos.php?title' Cross-Site Scripting
EIP-2026-109619 EXPLOITDB text WORKING POC
MTP Guestbook 1.0 - Multiple Cross-Site Scripting Vulnerabilities
CVE-2015-2269 EXPLOITDB text WORKING POC
Moodle < 2.5.9, 2.6.x < 2.6.9, 2.7.x < 2.7.6, 2.8.x < 2.8.4 - XSS via IMG Alt/Title
Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element.
CVE-2010-4349 EXPLOITDB text WORKING POC
MantisBT < 1.2.4 - Information Disclosure via Invalid db_type Parameter
admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP.
CVE-2014-4718 EXPLOITDB text WORKING POC
Lunar CMS < 3.3 - Cross-Site Request Forgery
Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CMS before 3.3-3 allow remote attackers to hijack the authentication of administrators for requests that (1) add Super users via a request to admin/user_create.php or conduct cross-site scripting (XSS) attacks via the (2) email or (3) subject parameter in contact_form.ext.php to admin/extensions.php.
EIP-2026-109451 EXPLOITDB html WORKING POC
Microweber 1.0.3 - Persistent Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)
EIP-2026-109450 EXPLOITDB text WORKING POC
Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / PHP Remote Code Execution
CVE-2010-4350 EXPLOITDB text WORKING POC
MantisBT < 1.2.4 - Remote Code Execution via db_type Parameter in admin/upgrade_unattended.php
Directory traversal vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP.
EIP-2026-109224 EXPLOITDB text WORKING POC
Lunar CMS 3.3 - Remote Command Execution
EIP-2026-108988 EXPLOITDB text WRITEUP
Kemana Directory 1.5.6 - kemana_admin_passwd Cookie User Password Hash Disclosure
EIP-2026-109141 EXPLOITDB text WORKING POC
LimeSurvey 2.00+ (build 131107) - Multiple Vulnerabilities
EIP-2026-108989 EXPLOITDB text WORKING POC
Kemana Directory 1.5.6 - Remote Code Execution
EIP-2026-108987 EXPLOITDB text WORKING POC
Kemana Directory 1.5.6 - Database Backup Disclosure