High-Tech Bridge SA

441 exploits Active since Apr 2010
CVE-2015-8358 EXPLOITDB text WORKING POC
bitrix.mpbuilder < 1.0.11 - Authenticated Path Traversal via Work Array Parameter
Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the "work" array parameter to admin/bitrix.mpbuilder_step2.php.
CVE-2013-4880 EXPLOITDB text WORKING POC
BigTree CMS < 4.0 - Cross-Site Scripting via Module Parameter
Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter.
CVE-2010-5315 EXPLOITDB text WORKING POC
BEdita < 3.0.1.2550 "betula" - Cross-Site Request Forgery via News Categories or Admin User Save
Multiple cross-site request forgery (CSRF) vulnerabilities in BEdita before 3.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create categories via a data array to news/saveCategories or (2) modify credentials via a data array to admin/saveUser.
EIP-2026-105161 EXPLOITDB html WORKING POC
Amethyst 0.1.5 - Cross-Site Scripting
EIP-2026-105163 EXPLOITDB text WORKING POC
Amiro.CMS 5.8.4.0 - Multiple HTML Injection Vulnerabilities
CVE-2012-5244 EXPLOITDB text WORKING POC
Banana Dance < b.2.6 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to functions/print.php; or (7) the name parameter to functions/ajax.php.
EIP-2026-105372 EXPLOITDB text WORKING POC
Backbone Technology Expression 18.9.2010 - Cross-Site Scripting
CVE-2012-5700 EXPLOITDB text WORKING POC
Baby Gekko < 1.2.2 - Cross-Site Scripting via Admin ID or Login Credentials
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information.
CVE-2013-2945 EXPLOITDB text WRITEUP
b2evolution < 4.1.7 - Authenticated SQL Injection via show_statuses[] Parameter
SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
CVE-2013-2474 EXPLOITDB HIGH text WORKING POC
AWS XMS 2.5 - Path Traversal via 'what' Parameter
Directory traversal vulnerability in AWS XMS 2.5 allows remote attackers to view arbitrary files via the 'what' parameter.
CVSS 7.5
CVE-2010-4882 EXPLOITDB text WORKING POC
Auto CMS 1.6 - Cross-Site Scripting via Sitetitle Parameter
Cross-site scripting (XSS) vulnerability in autocms.php in Auto CMS 1.6 allows remote attackers to inject arbitrary web script or HTML via the sitetitle parameter.
CVE-2014-1401 EXPLOITDB text WRITEUP
AuraCMS <= 2.3 - Authenticated SQL Injection via Search Parameter or HTTP Headers
Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search parameter to mod/content/content.php or (2) CLIENT_IP, (3) X_FORWARDED_FOR, (4) X_FORWARDED, (5) FORWARDED_FOR, or (6) FORWARDED HTTP header to index.php.
CVE-2012-5453 EXPLOITDB text WORKING POC
ATutor AContent <1.2 - SQL Injection
SQL injection vulnerability in user/index_inline_editor_submit.php in ATutor AContent 1.2-1 allows remote authenticated users to execute arbitrary SQL commands via the field parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-5167.
EIP-2026-105288 EXPLOITDB text WORKING POC
ATutor 1.0 - Multiple 'cid' Cross-Site Scripting Vulnerabilities
CVE-2014-4170 EXPLOITDB CRITICAL text WRITEUP
ArticleFR 11.06.2014 - Privilege Escalation
A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information.
CVSS 9.8
EIP-2026-105235 EXPLOITDB html WORKING POC
ArtGK CMS - Cross-Site Scripting / HTML Injection
EIP-2026-105234 EXPLOITDB text WORKING POC
ARSC Really Simple Chat 3.3-rc2 - Cross-Site Scripting / Multiple SQL Injections
EIP-2026-105230 EXPLOITDB text WORKING POC
Argyle Social - Multiple Cross-Site Scripting Vulnerabilities
CVE-2013-6058 EXPLOITDB text WRITEUP
appRain CMF < 3.0.2 - SQL Injection via PATH_INFO to blog-by-cat/
SQL injection vulnerability in appRain CMF 3.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to blog-by-cat/.
CVE-2010-2436 EXPLOITDB text WRITEUP
anecms_blog < 1.3 - SQL Injection via PATH_INFO
SQL injection vulnerability in modules/blog/index.php in AneCMS Blog 1.3 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO.
CVE-2010-2437 EXPLOITDB text WORKING POC
anecms_blog < 1.3 - Stored Cross-Site Scripting via Comment Variable
Cross-site scripting (XSS) vulnerability in class/tools.class.php in AneCMS Blog 1.3 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the comment variable to modules/blog/index.php.
EIP-2026-105052 EXPLOITDB text WORKING POC
Ajax Chat 1.0 - 'ajax-chat.php' Cross-Site Scripting
EIP-2026-104834 EXPLOITDB text WRITEUP
360 Web Manager 3.0 - 'webpages-form-led-edit.php' SQL Injection
CVE-2012-0996 EXPLOITDB text WRITEUP
11in1 1.2.1 - Path Traversal via Class Parameter
Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. (dot dot) in the class parameter to (1) index.php or (2) admin/index.php.
EIP-2026-104847 EXPLOITDB text WORKING POC
4Images 1.7.9 - Multiple Vulnerabilities