Vulnerability-Lab

343 exploits Active since Jan 2008
CVE-2012-6517 EXPLOITDB text WRITEUP
diy-cms 1.0 - Cross-Site Scripting via Poll Module Parameters
Multiple cross-site scripting (XSS) vulnerabilities in DiY-CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) question parameter to in /modules/poll/add.php or (2) question or (3) answer parameter to modules/poll/edit.php.
CVE-2012-5899 EXPLOITDB text WRITEUP
SAMEDIA LandShop 0.9.2 - Cross-Site Scripting via OTR_HEADS Parameter
Cross-site scripting (XSS) vulnerability in admin/action/objects.php in SAMEDIA LandShop 0.9.2 allows remote attackers to inject arbitrary web script or HTML via the OTR_HEADS[] parameter in an edit action. NOTE: some of these details are obtained from third party information.
CVE-2012-5898 EXPLOITDB text WRITEUP
SAMEDIA LandShop 0.9.2 - Cross-Site Request Forgery
Cross-site request forgery (CSRF) vulnerability in SAMEDIA LandShop 0.9.2 allows remote attackers to hijack the authentication of administrators for requests that change account settings.
CVE-2012-2939 EXPLOITDB text WORKING POC
Travelon Express 6.2.2 - Authenticated Arbitrary File Upload via airline-edit.php hotel-image-add.php or hotel-add.php
Multiple unrestricted file upload vulnerabilities in Travelon Express 6.2.2 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension using (1) airline-edit.php, (2) hotel-image-add.php, or (3) hotel-add.php.
CVE-2012-4279 EXPLOITDB text WRITEUP
Free Realty 3.1-0.6 - SQL Injection via Agent Display or Admin Edit Parameters
Multiple SQL injection vulnerabilities in Free Realty 3.1-0.6 allow remote attackers to execute arbitrary SQL commands via the (1) view parameter to agentdisplay.php or (2) edit parameter to admin/admin.php.
CVE-2012-4278 EXPLOITDB text WRITEUP
Free Realty 3.1-0.6 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Free Realty 3.1-0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) notes parameter to (a) admin/agenteditor.php; (2) title, (3) previewdesc, (4) fulldesc, or (5) notes parameter (b) to agentadmin.php or (c) in an addlisting action to agentadmin.php; or unspecified vectors to (d) admin/adminfeatures.php.
CVE-2012-4265 EXPLOITDB text WRITEUP
Proman Xpress 5.0.1 - SQL Injection via category_edit.php cid Parameter
SQL injection vulnerability in category_edit.php in Proman Xpress 5.0.1 allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2012-4260 EXPLOITDB text WRITEUP
myCare2x - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in myCare2x allow remote attackers to execute arbitrary SQL commands via the (1) aktion or (2) callurl parameter to modules/patient/mycare2x_pat_info.php; (3) dept_nr or (4) pid parameter to modules/importer/mycare2x_importer.php; (5) myOpsEintrag or (6) keyword parameter in a Suchen action to modules/drg/mycare2x_proc_search.php; or (7) name_last or (8) pid parameter to modules/patient/mycare_pid.php.
CVE-2012-3839 EXPLOITDB text WRITEUP
MyClientBase 0.12 - SQL Injection via Invoice Search Parameters
Multiple SQL injection vulnerabilities in application/core/MY_Model.php in MyClientBase 0.12 allow remote attackers to execute arbitrary SQL commands via the (1) invoice_number or (2) tags parameter to index.php/invoice_search.
CVE-2012-2938 EXPLOITDB text WORKING POC
Travelon Express 6.2.2 - Cross-Site Scripting via Holiday Name Field
Multiple cross-site scripting (XSS) vulnerabilities in Travelon Express 6.2.2 allow remote attackers to inject arbitrary web script or HTML via the holiday name field to (1) holiday_add.php or (2) holiday_view.php.
CVE-2012-2908 EXPLOITDB text WORKING POC
Viscacha 0.8.1.1 - SQL Injection via bbcodeexample, buttonimage, or bbcodetag Parameter
Multiple SQL injection vulnerabilities in admin/bbcodes.php in Viscacha 0.8.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) bbcodeexample, (2) buttonimage, or (3) bbcodetag parameter.
CVE-2011-5228 EXPLOITDB text WRITEUP
appRain CMF 0.1.5 - Cross-Site Scripting via Search Module ss Parameter
Cross-site scripting (XSS) vulnerability in the Search module (quickstart/search) in appRain CMF 0.1.5 allows remote attackers to inject arbitrary web script or HTML via the ss parameter.
CVE-2011-5149 EXPLOITDB text WRITEUP
SpamTitan < 5.08 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in SpamTitan 5.08 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) testaddr or (2) testpass parameter to auth-settings.php; (3) hostname, (4) domainname, or (5) mailserver parameter to setup-relay.php; or (6) subnetmask or (7) defaultroute parameter to setup-network.php.
CVE-2019-14422 EXPLOITDB HIGH text WORKING POC
TortoiseSVN 1.12.1 - Remote Code Execution via Tsvncmd URI Handler
An issue was discovered in in TortoiseSVN 1.12.1. The Tsvncmd: URI handler allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings to execute arbitrary code. A tsvncmd:command:diff?path:[file1]?path2:[file2] URI will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script diff-xls.js using wscript, which will open the two files for analysis without any macro security warning. An attacker can exploit this by putting a macro virus in a network drive, and force the victim to open the workbooks and execute the macro inside.
CVSS 8.8
CVE-2013-3179 EXPLOITDB text WRITEUP
Microsoft SharePoint Server 2007 SP3, 2010 SP1/SP2, 2013 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "SharePoint XSS Vulnerability."
EIP-2026-119359 EXPLOITDB text WRITEUP
Dell PacketTrap PSA 7.1 - Multiple Cross-Site Scripting Vulnerabilities
EIP-2026-119433 EXPLOITDB text WRITEUP
SonicWALL email security 7.3.5 - Multiple Vulnerabilities
EIP-2026-119391 EXPLOITDB text WRITEUP
MailOrderWorks 5.907 - Multiple Vulnerabilities
EIP-2026-119399 EXPLOITDB text WRITEUP
ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities
EIP-2026-119434 EXPLOITDB text WRITEUP
SonicWALL OEM Scrutinizer 9.5.2 - Multiple Vulnerabilities
EIP-2026-119358 EXPLOITDB text WRITEUP
Dell PacketTrap MSP RMM 6.6.x - Multiple Cross-Site Scripting Vulnerabilities
EIP-2026-119397 EXPLOITDB text WRITEUP
ManageEngine OpStor 7.4 - Multiple Vulnerabilities
EIP-2026-119435 EXPLOITDB text WRITEUP
SonicWALL Scrutinizer 9.5.2 - SQL Injection
CVE-2016-7851 EXPLOITDB MEDIUM text WRITEUP
Adobe Connect <= 9.5.6 - Cross-Site Scripting in Events Registration Module
Adobe Connect version 9.5.6 and earlier does not adequately validate input in the events registration module. This vulnerability could be exploited in cross-site scripting attacks.
CVSS 6.1
EIP-2026-119127 EXPLOITDB text WRITEUP
ServersCheck Monitoring Software 8.8.x - Multiple Vulnerabilities