Jose Luis Gongora Fernandez (a.k.a) JosS

12 exploits Active since Apr 2009
CVE-2009-2401 EXPLOITDB text WORKING POC
PHPEcho CMS 2.0-rc3 - Stored Cross-Site Scripting via Forum Post
Cross-site scripting (XSS) vulnerability in PHPEcho CMS 2.0-rc3 allows remote attackers to inject arbitrary web script or HTML via a forum post.
CVE-2010-3457 EXPLOITDB text WORKING POC
Symphony CMS 2.0.7 and 2.1.1 - Cross-Site Scripting via Website Field or Recipient Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
EIP-2026-112115 EXPLOITDB text WORKING POC
Simple Machines Forum (SMF) 1.1.8 - 'avatar' Remote PHP File Execute
CVE-2009-1452 EXPLOITDB text WORKING POC
SMA-DB 0.3.13 - Remote Code Execution via _page_css or _page_javascript Parameter
Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters. NOTE: the _page_content vector is already is covered by CVE-2009-1450.
CVE-2009-1483 EXPLOITDB text WORKING POC
Studio Lounge Address Book 2.5 - Unauthenticated Arbitrary File Upload via upload-file.php
Unrestricted file upload vulnerability in upload-file.php in Adam Patterson Studio Lounge Address Book 2.5, as reachable from index2.php, allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in profiles/.
CVE-2010-3458 EXPLOITDB text WORKING POC
Symphony CMS <2.1.1 - SQL Injection
SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
EIP-2026-111457 EXPLOITDB perl WORKING POC
pPIM 1.01 - 'notes.php' Remote Command Execution
CVE-2009-2402 EXPLOITDB text WORKING POC
PHPEcho CMS <2.0-rc3 - SQL Injection
SQL injection vulnerability in index.php in the forum module in PHPEcho CMS 2.0-rc3 allows remote attackers to execute arbitrary SQL commands via the id parameter in a thread action, a different vector than CVE-2008-0355.
CVE-2010-3210 EXPLOITDB text WORKING POC
Multi-lingual E-Commerce System 0.2 - RCE
Multiple PHP remote file inclusion vulnerabilities in Multi-lingual E-Commerce System 0.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) checkout2-CYM.php, (2) checkout2-EN.php, (3) checkout2-FR.php, (4) cat-FR.php, (5) cat-EN.php, (6) cat-CYM.php, (7) checkout1-CYM.php, (8) checkout1-EN.php, (9) checkout1-FR.php, (10) prod-CYM.php, (11) prod-EN.php, and (12) prod-FR.php in inc/.
CVE-2009-2223 EXPLOITDB text WORKING POC
LightOpenCMS 0.1 - Path Traversal via cwd Parameter
Directory traversal vulnerability in locms/smarty.php in LightOpenCMS 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cwd parameter. NOTE: remote file inclusion attacks may be possible.
CVE-2010-2916 EXPLOITDB text WORKING POC
AJ Square AJ HYIP MERIDIAN - SQL Injection
SQL injection vulnerability in news.php in AJ Square AJ HYIP MERIDIAN allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2915 EXPLOITDB text WORKING POC
AJ Square AJ HYIP PRIME - SQL Injection
SQL injection vulnerability in welcome.php in AJ Square AJ HYIP PRIME allows remote attackers to execute arbitrary SQL commands via the id parameter.