milw0rm

75 exploits Active since May 1997
CVE-2006-6369 EXPLOITDB text WORKING POC
Invision Community Blog Mod 1.2.4 - SQL Injection
SQL injection vulnerability in lib/entry_reply_entry.php in Invision Community Blog Mod 1.2.4 allows remote attackers to execute arbitrary SQL commands via the eid parameter, when accessed through the "Preview message" functionality.
EIP-2026-107332 EXPLOITDB text WRITEUP
Gallery 1.2.5 - 'GALLERY_BASEDIR' Multiple Remote File Inclusions
EIP-2026-107473 EXPLOITDB text WORKING POC
Graffiti CMS 1.x - Arbitrary File Upload
CVE-2008-0905 EXPLOITDB text WORKING POC
Globsy 1.0 - Path Traversal via File Parameter
Directory traversal vulnerability in globsy_edit.php in Globsy 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
CVE-2008-6189 EXPLOITDB text WORKING POC
GForge 4.5.19 - SQL Injection via Offset Parameter
SQL injection vulnerability in GForge 4.5.19 allows remote attackers to execute arbitrary SQL commands via the offset parameter to (1) new/index.php, (2) news/index.php, and (3) top/topusers.php, which is not properly handled in database-pgsql.php.
CVE-2007-0681 EXPLOITDB CRITICAL html WORKING POC
ExtCalendar < 2 - Unauthenticated Password Change via register.php
profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php.
CVSS 9.8
EIP-2026-106674 EXPLOITDB text WRITEUP
e107 plugin fm pro 1 - File Disclosure / Arbitrary File Upload / Directory Traversal
CVE-2006-2008 EXPLOITDB text WORKING POC
Built2Go PHP Movie Review <2B - RCE
PHP remote file inclusion vulnerability in movie_cls.php in Built2Go PHP Movie Review 2B and earlier allows remote attackers to execute arbitrary PHP code via a URL in the full_path parameter.
EIP-2026-105271 EXPLOITDB text WORKING POC
ASPapp Knowledge Base - 'CatId' SQL Injection (2)
CVE-2007-5820 EXPLOITDB text WORKING POC
Ax Developer CMS 0.1.1 - Remote File Inclusion via Module Parameter Path Traversal
Directory traversal vulnerability in index.php in Ax Developer CMS (AxDCMS) 0.1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
CVE-2006-5647 EXPLOITDB text WORKING POC
Sophos Anti-Virus and Endpoint Security < 6.0.5 - Remote Code Execution via Malformed CHM File
Sophos Anti-Virus and Endpoint Security before 6.0.5, Anti-Virus for Linux before 5.0.10, and other platforms before 4.11 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via a malformed CHM file with a large name length in the CHM chunk header, aka "CHM name length memory consumption vulnerability."
EIP-2026-103387 EXPLOITDB text WORKING POC
Adobe Acrobat 9.1.1 (OSX/Windows) - Stack Overflow Crash (PoC)
CVE-1999-0034 EXPLOITDB perl WORKING POC
Perl 4.x and 5.x - Buffer Overflow in suidperl
Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.
CVE-2008-1801 EXPLOITDB perl WORKING POC
rdesktop 1.5.0 - Integer Underflow in iso_recv_msg Function
Integer underflow in the iso_recv_msg function (iso.c) in rdesktop 1.5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Remote Desktop Protocol (RDP) request with a small length field.
CVE-2008-1878 EXPLOITDB text WORKING POC
xine-lib < 1.1.12 - Stack-based Buffer Overflow via Long NSF Title
Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title.
CVE-2005-2925 EXPLOITDB bash WORKING POC
SGI IRIX - Local Command Execution via runpriv Shell Metacharacter Injection
runpriv in SGI IRIX allows local users to bypass intended restrictions and execute arbitrary commands via shell metacharacters in a command line for a privileged binary in /usr/sysadm/privbin.
CVE-2007-2270 EXPLOITDB perl WORKING POC
Linksys SPA941 - Denial of Service via SIP INVITE From Header
The Linksys SPA941 VoIP Phone allows remote attackers to cause a denial of service (device reboot) via a 0377 (0xff) character in the From header, and possibly certain other locations, in a SIP INVITE request.
EIP-2026-101383 EXPLOITDB text WRITEUP
Netgear WNR2000 FW 1.2.0.8 - Information Disclosure
EIP-2026-101160 EXPLOITDB text WORKING POC
ASMAX AR 804 gu Web Management Console - Arbitrary Command Execution
EIP-2026-101125 EXPLOITDB text WORKING POC
Linksys WAG54G2 - Web Management Console Arbitrary Command Execution
CVE-2007-4553 EXPLOITDB perl WORKING POC
Thomson ST 2030 SIP Phone 1.52.1 - Denial of Service via Malformed Via Header
The Thomson ST 2030 SIP phone with software 1.52.1 allows remote attackers to cause a denial of service (device hang) via an INVITE message with a Via header that contains a '/' (slash) instead of the required space following the SIP version number.
CVE-2007-2270 EXPLOITDB perl WORKING POC
Linksys SPA941 - Denial of Service via SIP INVITE From Header
The Linksys SPA941 VoIP Phone allows remote attackers to cause a denial of service (device reboot) via a 0377 (0xff) character in the From header, and possibly certain other locations, in a SIP INVITE request.
EIP-2026-100445 EXPLOITDB html WORKING POC
MuOnline Loopholes Web Server - 'pkok.asp' SQL Injection
CVE-2006-6821 EXPLOITDB html WORKING POC
Enthrallweb eNews - Authenticated Profile Field Modification via MM_recordId Parameter
myprofile.asp in Enthrallweb eNews does not properly validate the MM_recordId parameter during profile updates, which allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM_recordId parameter.
CVE-2004-1054 EXPLOITDB bash WORKING POC
IBM AIX <5.3.0 - Privilege Escalation
Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout.