Mahendra

9 exploits Active since Oct 2013
CVE-2013-6041 EXPLOITDB WORKING POC
Softaculous Webuzo < 2.1.3 - OS Command Injection
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.
CVE-2013-6042 EXPLOITDB WORKING POC
Softaculous Webuzo < 2.1.3 - XSS
Cross-site scripting (XSS) vulnerability in filemanager/login.php in the File Manager module in Softaculous Webuzo before 2.1.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter.
CVE-2014-1222 EXPLOITDB WORKING POC
Vtiger Crm < 6.0.0 - Path Traversal
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM.
CVE-2014-9145 EXPLOITDB WORKING POC
Fiyo CMS 2.0.1.8 - SQL Injection
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an edit action to dapur/index.php; (2) cat, (3) user, or (4) level parameter to dapur/apps/app_article/controller/article_list.php; or (5) email parameter in an email action or (6) username parameter in a user action to dapur/apps/app_user/controller/check_user.php.
CVE-2014-9146 EXPLOITDB WORKING POC
Fiyo CMS 2.0.1.8 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) id, (3) page, or (4) app parameter to the default URI or the (5) act parameter to dapur/index.php.
CVE-2014-9147 EXPLOITDB HIGH text WORKING POC
Fiyo CMS 2.0.1.8 - Info Disclosure
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
CVSS 7.5
CVE-2013-5979 EXPLOITDB text WORKING POC
Xibo - Path Traversal
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
CVE-2013-6043 EXPLOITDB text WORKING POC
Softaculous Webuzo < 2.1.3 - Information Disclosure
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.
CVE-2014-9148 EXPLOITDB CRITICAL text WORKING POC
Fiyo CMS 2.0.1.8 - Auth Bypass
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
CVSS 9.8