Jesper Jurcenoks

19 exploits Active since Jan 2007
CVE-2007-1899 EXPLOITDB text WORKING POC
myWebland myBloggie 2.1.6 - SQL Injection via User ID Parameter
Multiple SQL injection vulnerabilities in myWebland myBloggie 2.1.6 allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a viewuser action to index.php, and allow remote authenticated administrators to execute arbitrary SQL commands via (2) the post_id parameter in an edit action to admin.php.
CVE-2007-3127 EXPLOITDB text WORKING POC
IBM WebSphere Portal 1.0 - Information Disclosure via SQL Error in Page Parameter
content.php in WSPortal 1.0, when magic_quotes_gpc is disabled, allows remote attackers to obtain sensitive information via a "';" (quote semicolon) sequence in the page parameter, which reveals the installation path in the resulting forced SQL error message.
CVE-2007-1902 EXPLOITDB text WORKING POC
SonicBB 1.0 - SQL Injection via Part or By Parameter in Search or ID Parameter in Viewforum
Multiple SQL injection vulnerabilities in SonicBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) part and (2) by parameters to (a) search.php, or the (2) id parameter to (b) viewforum.php.
CVE-2007-4874 EXPLOITDB text WORKING POC
SimpNews 2.41.03 - Cross-Site Scripting via l_username and backurl Parameters
Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) l_username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php.
CVE-2007-1903 EXPLOITDB text WRITEUP
SonicBB 1.0 - Cross-Site Scripting via Search Part Parameter
Cross-site scripting (XSS) vulnerability in search.php in SonicBB 1.0 allows remote attackers to inject arbitrary web script or HTML via the part parameter.
CVE-2007-4874 EXPLOITDB text WORKING POC
SimpNews 2.41.03 - Cross-Site Scripting via l_username and backurl Parameters
Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) l_username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php.
CVE-2008-3080 EXPLOITDB text WORKING POC
myWebland myBloggie 2.1.6 - Cross-Site Request Forgery in admin.php
Cross-site request forgery (CSRF) vulnerability in admin.php in myWebland myBloggie 2.1.6 allows remote attackers to perform edit actions as administrators. NOTE: this can be leveraged to execute SQL commands by also exploiting CVE-2007-1899.
CVE-2007-2686 EXPLOITDB text WORKING POC
Jetbox CMS 2.1 - Cross-Site Scripting via Login Parameter in Password Reset
Cross-site scripting (XSS) vulnerability in index.php in Jetbox CMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the login parameter in a sendpwd task.
CVE-2007-2685 EXPLOITDB text WORKING POC
Jetbox CMS 2.1 - SQL Injection via View or Login Parameter
Multiple SQL injection vulnerabilities in index.php in Jetbox CMS 2.1 allow remote attackers to execute arbitrary SQL commands via the (1) view or (2) login parameter.
CVE-2007-1898 EXPLOITDB text WORKING POC
Jetbox CMS 2.1 - Unauthenticated Arbitrary Email Spamming via formmail.php Parameters
formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails (spam) via modified recipient, _SETTINGS[allowed_email_hosts][], and subject parameters.
CVE-2007-3653 EXPLOITDB text WRITEUP
FaName 1.0 - Cross-Site Scripting via key/desc/name Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Farsi Script (aka FaScript) FaName 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) key or (2) desc parameter to index.php, or (3) the name parameter to page.php.
CVE-2007-3653 EXPLOITDB text WORKING POC
FaName 1.0 - Cross-Site Scripting via key/desc/name Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Farsi Script (aka FaScript) FaName 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) key or (2) desc parameter to index.php, or (3) the name parameter to page.php.
CVE-2007-2801 EXPLOITDB text WRITEUP
eTicket 1.5.5 and 1.5.5.1 - Cross-Site Scripting via err and warn Parameters
Multiple cross-site scripting (XSS) vulnerabilities in open.php in eTicket 1.5.5 and 1.5.5.1, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) err and (2) warn parameters. NOTE: the vendor disputes the significance of the issue, stating that "eTicket is not designed to work with register_globals On."
CVE-2007-0693 EXPLOITDB text WORKING POC
DGNews 2.1 - SQL Injection via catid Parameter
SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS).
CVE-2006-6487 EXPLOITDB text WRITEUP
DT Guestbook 1.0f - Cross-Site Scripting via Error Parameter
Cross-site scripting (XSS) vulnerability in index.php in DT Guestbook (dt_guestbook) 1.0f, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the error[] parameter.
CVE-2007-0694 EXPLOITDB text WRITEUP
DGNews 2.1 - Cross-Site Scripting via Copyright Parameter
Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 allows remote attackers to inject arbitrary web script or HTML via the copyright parameter.
CVE-2007-3183 EXPLOITDB text WORKING POC
Calendarix 0.7.20070307 - SQL Injection via Month/Year Parameters or Search String
Multiple SQL injection vulnerabilities in Calendarix 0.7.20070307, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters to calendar.php and the (3) search string to cal_search.php.
CVE-2007-3182 EXPLOITDB text WRITEUP
Calendarix 0.7.20070307 - Cross-Site Scripting via year, month, and leftfooter Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Calendarix 0.7.20070307, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) year and (2) month parameters to calendar.php, and the (3) leftfooter parameter to cal_footer.inc.php. NOTE: the ycyear parameter to yearcal.php is already covered by CVE-2006-1835.
CVE-2007-0605 EXPLOITDB text WRITEUP
Advanced Guestbook 2.4.2 - Cross-Site Scripting via Picture Parameter
Cross-site scripting (XSS) vulnerability in picture.php in Advanced Guestbook 2.4.2 allows remote attackers to inject arbitrary web script or HTML via the picture parameter.