Steffen Rösemann

20 exploits Active since Dec 2004
CVE-2004-1519 EXPLOITDB WRITEUP
phpBugTracker 0.9.1 - SQL Injection
SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows remote attackers to execute arbitrary SQL commands via (1) the bug_id parameter in a viewvotes operation or (2) the project parameter in an add operation.
CVE-2015-2142 EXPLOITDB HIGH WRITEUP
phpBugTracker < 1.6.0 - Authenticated Cross-Site Request Forgery via Multiple Parameters
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php.
CVSS 8.0
CVE-2015-2143 EXPLOITDB HIGH WRITEUP
phpBugTracker < 1.6.0 - Cross-Site Request Forgery
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.
CVSS 8.8
CVE-2015-2145 EXPLOITDB MEDIUM WRITEUP
Phpbugtracker < 1.6.0 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVSS 4.8
CVE-2015-1371 EXPLOITDB WRITEUP
ferretCMS 1.0.4-alpha - Authenticated Remote Code Execution via Unrestricted File Upload
Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in custom/uploads/.
CVE-2015-1372 EXPLOITDB WRITEUP
ferretCMS 1.0.4-alpha - SQL Injection
SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php.
CVE-2015-1373 EXPLOITDB WRITEUP
ferretCMS 1.0.4-alpha - Cross-Site Scripting via Action Parameter or Username
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search request, (2) username in a login request, which is not properly handled when logging the event, or (3) page title in an insert action.
CVE-2014-9434 EXPLOITDB WRITEUP
Absolut Engine 1.73 - Authenticated Cross-Site Scripting via Title Parameter
Cross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via the title parameter.
CVE-2015-1562 WRITEUP WRITEUP
Saurus CMS 4.7.0 - Cross-Site Scripting via Search Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Saurus CMS 4.7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) search parameter to admin/user_management.php, (2) data_search parameter to /admin/profile_data.php, or (3) filter parameter to error_log.php.
CVE-2015-2183 EXPLOITDB text WRITEUP
ZeusCart 4 - Authenticated SQL Injection via Admin Backend Parameters
Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an editcurrency action to admin/.
CVE-2015-2182 EXPLOITDB text WRITEUP
ZeusCart 4 - Cross-Site Scripting via schltr or brand Parameter
Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. NOTE: The search parameter vector is already covered by CVE-2010-5322.
CVE-2010-5322 EXPLOITDB text WRITEUP
ZeusCart < 4.0 - Cross-Site Scripting via Search Parameter
Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php.
CVE-2015-2184 EXPLOITDB text WRITEUP
ZeusCart 4 - Exposure of Sensitive Information via phpinfo Function
ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function.
CVE-2015-0919 EXPLOITDB text WRITEUP
Sefrengo < 1.6.0 - Authenticated SQL Injection via idcat or idclient Parameter
Multiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via the (1) idcat or (2) idclient parameter to backend/main.php.
EIP-2026-111293 EXPLOITDB text WRITEUP
Piwigo 2.7.3 - Multiple Vulnerabilities
CVE-2015-1471 EXPLOITDB text WRITEUP
Pragyan CMS 3.0 - SQL Injection via User Parameter
SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI.
CVE-2015-2147 EXPLOITDB CRITICAL text WRITEUP
Phpbugtracker < 1.6.0 - SQL Injection
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.
CVSS 9.8
CVE-2015-1374 EXPLOITDB text WRITEUP
ferretCMS 1.0.4-alpha - Cross-Site Request Forgery in admin.php
Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3) unrestricted file upload attacks.
CVE-2014-9522 EXPLOITDB text WRITEUP
CMS Papoo Light 6.0.0 Rev 4701 - Cross-Site Scripting via Guestbook Author or Account Username
Multiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light 6.0.0 (Rev 4701) allow remote attackers to inject arbitrary web script or HTML via the (1) author field to guestbook.php or (2) username field to account.php.
CVE-2014-9435 EXPLOITDB text WRITEUP
Absolut Engine 1.73 - SQL Injection
Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow remote authenticated users to execute arbitrary SQL commands via the (1) sectionID parameter to admin/managersection.php, (2) userID parameter to admin/edituser.php, (3) username parameter to admin/admin.php, or (4) title parameter to admin/managerrelated.php.