Mahendra

9 exploits Active since Oct 2013
CVE-2013-6041 EXPLOITDB WORKING POC
Softaculous Webuzo < 2.1.4 - Remote Code Execution via SOFTCookies sid Cookie
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.
CVE-2013-6042 EXPLOITDB WORKING POC
Webuzo < 2.1.4 - Cross-Site Scripting via File Manager Login User Parameter
Cross-site scripting (XSS) vulnerability in filemanager/login.php in the File Manager module in Softaculous Webuzo before 2.1.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter.
CVE-2014-1222 EXPLOITDB WORKING POC
vtiger CRM < 6.0.0 - Authenticated Path Traversal via KCFinder File Parameter
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM.
CVE-2014-9145 EXPLOITDB WORKING POC
Fiyo CMS 2.0.1.8 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an edit action to dapur/index.php; (2) cat, (3) user, or (4) level parameter to dapur/apps/app_article/controller/article_list.php; or (5) email parameter in an email action or (6) username parameter in a user action to dapur/apps/app_user/controller/check_user.php.
CVE-2014-9146 EXPLOITDB WORKING POC
Fiyo CMS 2.0.1.8 - Cross-Site Scripting via Multiple URI Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) id, (3) page, or (4) app parameter to the default URI or the (5) act parameter to dapur/index.php.
CVE-2014-9147 EXPLOITDB HIGH text WORKING POC
Fiyo CMS < 2.0.1.8 - Exposure of Sensitive Information via Database Backup File
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
CVSS 7.5
CVE-2013-5979 EXPLOITDB text WORKING POC
Xibo 1.2.x < 1.2.3 and 1.4.x < 1.4.2 - Path Traversal via Index.php p Parameter
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
CVE-2013-6043 EXPLOITDB text WORKING POC
Softaculous Webuzo < 2.1.4 - Username Enumeration via Login Error Messages
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.
CVE-2014-9148 EXPLOITDB CRITICAL text WORKING POC
fiyo_cms < 2.0.1.8 - Improper Access Control via Direct Request to fiyo/dapur
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
CVSS 9.8