ZoRLu

CVE-2008-6196 EXPLOITDB text WRITEUP

Philippe CROCHAT EasySite 2.0 - Remote Code Execution via EASYSITE_BASE Parameter

Multiple PHP remote file inclusion vulnerabilities in Philippe CROCHAT EasySite 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the EASYSITE_BASE parameter to (1) browser.php, (2) image_editor.php and (3) skin_chooser.php in configuration/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

EIP-2026-107122 EXPLOITDB perl WORKING POC

Flat Calendar 1.1 - HTML Injection

View Code

EIP-2026-107121 EXPLOITDB text WORKING POC

Flat Calendar 1.1 - 'add.php' HTML Injection

View Code

CVE-2008-5288 EXPLOITDB text WORKING POC

Werner Hilversum FAQ Manager 1.2 - RCE

PHP remote file inclusion vulnerability in include/header.php in Werner Hilversum FAQ Manager 1.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the config_path parameter.

View Code

CVE-2008-7019 EXPLOITDB text WORKING POC

esqlanelapse 2.6.1-2.6.2 - Unauthenticated Authentication Bypass via Cookie Manipulation

Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authentication and gain privileges via modified (1) enombre and (2) euri cookies.

View Code

CVE-2008-2037 EXPLOITDB text WRITEUP

EditeurScripts EsContacts 1.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php.

View Code

CVE-2008-2037 EXPLOITDB text WRITEUP

EditeurScripts EsContacts 1.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php.

View Code

CVE-2008-2037 EXPLOITDB text WRITEUP

EditeurScripts EsContacts 1.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php.

View Code

CVE-2008-6196 EXPLOITDB text WORKING POC

Philippe CROCHAT EasySite 2.0 - Remote Code Execution via EASYSITE_BASE Parameter

Multiple PHP remote file inclusion vulnerabilities in Philippe CROCHAT EasySite 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the EASYSITE_BASE parameter to (1) browser.php, (2) image_editor.php and (3) skin_chooser.php in configuration/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

CVE-2008-2037 EXPLOITDB text WRITEUP

EditeurScripts EsContacts 1.0 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php.

View Code

CVE-2008-5803 EXPLOITDB text WORKING POC

E-topbiz Online Store 1.0 - SQL Injection

SQL injection vulnerability in admin/login.php in E-topbiz Online Store 1.0 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka username field). NOTE: some of these details are obtained from third party information.

View Code

CVE-2008-7133 EXPLOITDB text WORKING POC

EasyImageCatalogue 1.3.1 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in onlinetools.org EasyImageCatalogue 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) search and (2) d index.php parameters to index.php, (3) dir parameter to thumber.php, and the d parameter to (4) describe.php and (5) addcomment.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

CVE-2008-7133 EXPLOITDB text WORKING POC

EasyImageCatalogue 1.3.1 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in onlinetools.org EasyImageCatalogue 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) search and (2) d index.php parameters to index.php, (3) dir parameter to thumber.php, and the d parameter to (4) describe.php and (5) addcomment.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

CVE-2008-7133 EXPLOITDB text WRITEUP

EasyImageCatalogue 1.3.1 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in onlinetools.org EasyImageCatalogue 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) search and (2) d index.php parameters to index.php, (3) dir parameter to thumber.php, and the d parameter to (4) describe.php and (5) addcomment.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

CVE-2008-7133 EXPLOITDB text WRITEUP

EasyImageCatalogue 1.3.1 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in onlinetools.org EasyImageCatalogue 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) search and (2) d index.php parameters to index.php, (3) dir parameter to thumber.php, and the d parameter to (4) describe.php and (5) addcomment.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

CVE-2008-4906 EXPLOITDB text WORKING POC

Lyrics (lyrics_menu) plugin 0.42 for e107 - SQL Injection via l_id Parameter

SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_menu) plugin 0.42 for e107 allows remote attackers to execute arbitrary SQL commands via the l_id parameter. NOTE: some of these details are obtained from third party information.

View Code

CVE-2008-6438 EXPLOITDB text WORKING POC

MacGuru BLOG Engine Plugin 2.1.4-2.2 - SQL Injection via uid Parameter

SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.

View Code

EIP-2026-106665 EXPLOITDB text WORKING POC

e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities

View Code

CVE-2008-1800 EXPLOITDB text WORKING POC

DivXDB 2002 0.94b - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in index.php in DivXDB 2002 0.94b allow remote attackers to inject arbitrary web script or HTML via the (1) choice, (2) _page_, (3) zone_admin, (4) general_search, and (5) import parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

View Code

CVE-2008-2415 EXPLOITDB text WRITEUP

DigitalHive 2.0 RC2 - Path Traversal via Page Parameter

Directory traversal vulnerability in template/purpletech/base_include.php in DigitalHive (aka hive) 2.0 RC2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.

View Code

CVE-2008-1985 EXPLOITDB text WRITEUP

DigitalHive 2.0 RC2 - Cross-Site Scripting via mt Parameter

Cross-site scripting (XSS) vulnerability in base.php in DigitalHive 2.0 RC2 allows remote attackers to inject arbitrary web script or HTML via the mt parameter, possibly related to membres.php.

View Code

CVE-2008-6468 EXPLOITDB text WORKING POC

Diesel Pay - SQL Injection via Area Parameter in Browse Action

SQL injection vulnerability in index.php in Diesel Pay allows remote attackers to execute arbitrary SQL commands via the area parameter in a browse action.

View Code

CVE-2008-5648 EXPLOITDB text WORKING POC

DeltaScripts PHP Shop 1.0 - SQL Injection

SQL injection vulnerability in admin/login.php in DeltaScripts PHP Shop 1.0 allows remote attackers to execute arbitrary SQL commands via the admin_username parameter. NOTE: some of these details are obtained from third party information.

View Code

CVE-2008-6720 EXPLOITDB text WORKING POC

DeltaScripts PHP Links < 1.3 - SQL Injection via admin_username Parameter

SQL injection vulnerability in admin/adm_login.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the admin_username parameter (aka the admin field).

View Code

CVE-2008-5805 EXPLOITDB text WORKING POC

DeltaScripts PHP Classifieds <7.5 - SQL Injection

SQL injection vulnerability in detail.php in DeltaScripts PHP Classifieds 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the siteid parameter, a different vector than CVE-2006-5828.

View Code