Manuel García Cárdenas

23 exploits Active since Sep 2014
CVE-2017-17088 EXPLOITDB HIGH python WORKING POC
SyncBreeze < 10.2.12 - Denial of Service via Host Header Buffer Overflow
The Enterprise version of SyncBreeze 10.2.12 and earlier is affected by a Remote Denial of Service vulnerability. The web server does not check bounds when reading server requests in the Host header on making a connection, resulting in a classic Buffer Overflow that causes a Denial of Service.
CVSS 7.5
EIP-2026-116109 EXPLOITDB text WORKING POC
PyroBatchFTP < 3.19 - Buffer Overflow
CVE-2014-9236 EXPLOITDB text WRITEUP
Zoph < 0.9.1 - Cross-Site Scripting via photographer_id or _crumb Parameter
Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) photographer_id or (2) _crumb parameter.
EIP-2026-114085 EXPLOITDB text WRITEUP
WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection
CVE-2018-16283 EXPLOITDB CRITICAL text WORKING POC
Wechat Broadcast < 1.2.0 - Path Traversal via Image.php URL Parameter
The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter.
CVSS 9.8
CVE-2013-2586 EXPLOITDB text WRITEUP
XAMPP 1.8.1 - Cross-Site Scripting via WriteIntoLocalDisk Method
XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method.
CVE-2018-10969 EXPLOITDB CRITICAL text WORKING POC
Pie Register < 3.0.10 - SQL Injection via Invitation Codes Grid
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
CVSS 9.8
CVE-2019-9618 EXPLOITDB CRITICAL text WRITEUP
WordPress Media Player 1.0 - Local File Inclusion
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
CVSS 9.8
CVE-2018-16299 EXPLOITDB HIGH text WORKING POC
Localize My Post 1.0 - Path Traversal via AJAX Include File Parameter
The Localize My Post plugin 1.0 for WordPress allows Directory Traversal via the ajax/include.php file parameter.
CVSS 7.5
CVE-2014-9243 EXPLOITDB text WRITEUP
WebsiteBaker 2.8.3 - Cross-Site Scripting via QUERY_STRING or section_id Parameter
Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4) news/modify_group.php, (5) news/modify_post.php, or (6) news/modify_settings.php in wb/modules/.
CVE-2018-7474 EXPLOITDB CRITICAL text WRITEUP
Textpattern < 4.6.2 - SQL Injection via qty Parameter
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
CVSS 9.8
CVE-2013-2624 EXPLOITDB MEDIUM text WRITEUP
telaen < 1.3.1 - Exposure of Sensitive Information via Crafted URL Request
Telean before 1.3.1 contains a full path disclosure vulnerability which could allow remote attackers to obtain sensitive information through a specially crafted URL request.
CVSS 5.3
CVE-2013-2623 EXPLOITDB MEDIUM text WORKING POC
telaen < 1.3.1 - Cross-Site Scripting via f_email Parameter
Cross-site Scripting (XSS) in Telaen before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the "f_email" parameter in index.php.
CVSS 6.1
CVE-2013-2621 EXPLOITDB MEDIUM text WRITEUP
Telaen < 1.3.1 - Open Redirect via redir.php URL Parameter
Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL.
CVSS 6.1
EIP-2026-112866 EXPLOITDB text WRITEUP
UliCMS v9.8.1 - SQL Injection
CVE-2014-9115 EXPLOITDB text WRITEUP
Piwigo <2.5.5, <2.6.x before 2.6.4, <2.7.x before 2.7.2 - SQL Injec...
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
CVE-2019-12922 EXPLOITDB MEDIUM text WRITEUP
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery in Setup Page
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.
CVSS 6.5
EIP-2026-110809 EXPLOITDB text WRITEUP
PHP-Fusion 7.02.07 - Blind SQL Injection
EIP-2026-107809 EXPLOITDB text WRITEUP
ImpressCMS 1.3.9 - SQL Injection
CVE-2016-7400 EXPLOITDB CRITICAL text WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via id, title, or content_id Parameter
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action.
CVSS 9.8
EIP-2026-106112 EXPLOITDB text WRITEUP
Composr CMS 10.0.30 - Persistent Cross-Site Scripting
EIP-2026-105273 EXPLOITDB text WRITEUP
Asteriskguru Queue Statistics - 'warning' Cross-Site Scripting
CVE-2018-8831 EXPLOITDB MEDIUM text WRITEUP
Kodi < 17.6 - Stored Cross-Site Scripting via Playlist
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
CVSS 6.1