Steffen Rösemann - Security Researcher - Exploit Intelligence Platform

CVE-2004-1519 EXPLOITDB WRITEUP

phpBugTracker 0.9.1 - SQL Injection

SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows remote attackers to execute arbitrary SQL commands via (1) the bug_id parameter in a viewvotes operation or (2) the project parameter in an add operation.

View Code

CVE-2015-2142 EXPLOITDB HIGH WRITEUP

Phpbugtracker < 1.6.0 - CSRF

Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php.

CVSS 8.0

View Code

CVE-2015-2143 EXPLOITDB HIGH WRITEUP

Phpbugtracker < 1.6.0 - CSRF

Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.

CVSS 8.8

View Code

CVE-2015-2145 EXPLOITDB MEDIUM WRITEUP

Phpbugtracker < 1.6.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.

CVSS 4.8

View Code

CVE-2015-1371 EXPLOITDB WRITEUP

ferretCMS 1.0.4-alpha - RCE

Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in custom/uploads/.

View Code

CVE-2015-1372 EXPLOITDB WRITEUP

ferretCMS 1.0.4-alpha - SQL Injection

SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php.

View Code

CVE-2015-1373 EXPLOITDB WRITEUP

ferretCMS 1.0.4-alpha - XSS

Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search request, (2) username in a login request, which is not properly handled when logging the event, or (3) page title in an insert action.

View Code

CVE-2014-9434 EXPLOITDB WRITEUP

Absolut Engine 1.73 - XSS

Cross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via the title parameter.

View Code

CVE-2015-1562 WRITEUP WRITEUP

Saurus CMS 4.7.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in Saurus CMS 4.7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) search parameter to admin/user_management.php, (2) data_search parameter to /admin/profile_data.php, or (3) filter parameter to error_log.php.

View Code

CVE-2015-2183 EXPLOITDB text WRITEUP

Zeuscart - SQL Injection

Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an editcurrency action to admin/.

View Code

CVE-2015-2182 EXPLOITDB text WRITEUP

Ajsquare Zeuscart - XSS

Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. NOTE: The search parameter vector is already covered by CVE-2010-5322.

View Code

CVE-2010-5322 EXPLOITDB text WRITEUP

ZeusCart <4.0 - XSS

Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php.

View Code

CVE-2015-2184 EXPLOITDB text WRITEUP

Ajsquare Zeuscart - Information Disclosure

ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function.

View Code

CVE-2015-0919 EXPLOITDB text WRITEUP

Sefrengo < 1.6.0 - SQL Injection

Multiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via the (1) idcat or (2) idclient parameter to backend/main.php.

View Code

EIP-2026-111293 EXPLOITDB text WRITEUP

Piwigo 2.7.3 - Multiple Vulnerabilities

View Code

CVE-2015-1471 EXPLOITDB text WRITEUP

Pragyan CMS 3.0 - SQL Injection

SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI.

View Code

CVE-2015-2147 EXPLOITDB CRITICAL text WRITEUP

Phpbugtracker < 1.6.0 - SQL Injection

Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.

CVSS 9.8

View Code

CVE-2015-1374 EXPLOITDB text WRITEUP

ferretCMS 1.0.4-alpha - CSRF

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3) unrestricted file upload attacks.

View Code

CVE-2014-9522 EXPLOITDB text WRITEUP

CMS Papoo Light 6.0.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light 6.0.0 (Rev 4701) allow remote attackers to inject arbitrary web script or HTML via the (1) author field to guestbook.php or (2) username field to account.php.

View Code

CVE-2014-9435 EXPLOITDB text WRITEUP

Absolut Engine 1.73 - SQL Injection

Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow remote authenticated users to execute arbitrary SQL commands via the (1) sectionID parameter to admin/managersection.php, (2) userID parameter to admin/edituser.php, (3) username parameter to admin/admin.php, or (4) title parameter to admin/managerrelated.php.

View Code