Exploitdb Exploits
2,012 exploits tracked across all sources.
Elasticsearch < 1.2 - Improper Access Control
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
by Jeff Geiger
CVSS 8.1
Open Assessment Technologies Tao - CSRF
Cross-site request forgery (CSRF) vulnerability in Open Assessment Technologies TAO 2.5.6 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via a request to Users/add.
by High-Tech Bridge
Beetel 450tc2 Router Firmware - CSRF
Cross-site request forgery (CSRF) vulnerability in Beetel 450TC2 Router with firmware TX6-0Q-005_retail allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the uiViewTools_Password and uiViewTools_PasswordConfirm parameters to Forms/tools_admin_1.
by shyamkumar somana
MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.
by Jean-Jamil Khalife
CVSS 8.8
ICOMM 610 Wireless Modem - Cross-Site Request Forgery
by Blessen Thomas
Kaspersky Internet Security - Remote Denial of Service
by CXsecurity
DaumGame ActiveX <1.1.0.5 - RCE
Buffer overflow in the IconCreate method in an ActiveX control in the DaumGame ActiveX plugin 1.1.0.4 and 1.1.0.5 allows remote attackers to execute arbitrary code via a long string, as exploited in the wild in January 2014.
by Trustwave's SpiderLabs
MW6 Aztec, DataMatrix, MaxiCode <4.0 - RCE
MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls before version 4.0 vulnerable to arbitrary code via a crafted HTML document. Latest versions (4.0) of MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls have resolved the issue
by Pedro Ribeiro
CVSS 8.1
MW6 Aztec, DataMatrix, MaxiCode <4.0 - RCE
MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls before version 4.0 vulnerable to arbitrary code via a crafted HTML document. Latest versions (4.0) of MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls have resolved the issue
by Pedro Ribeiro
CVSS 8.1
MW6 Aztec, DataMatrix, MaxiCode <4.0 - RCE
MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls before version 4.0 vulnerable to arbitrary code via a crafted HTML document. Latest versions (4.0) of MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls have resolved the issue
by Pedro Ribeiro
CVSS 8.1
BloofoxCMS - '/admin/index.php' Cross-Site Request Forgery (Add Admin)
by AtT4CKxT3rR0r1ST
PHPJabbers Property Listing Script 2.0 - Cross-Site Request Forgery (Add Admin)
by HackXBack
PHPJabbers Pet Listing Script 1.0 - Multiple Vulnerabilities
by HackXBack
Auto Classifieds Script 2.0 - Cross-Site Request Forgery (Add Admin)
by HackXBack
Feixun Wireless Router FWR-604H - Remote Code Execution
by Arash Abedian
Built2Go PHP Shopping - Cross-Site Request Forgery (Admin Password)
by AtT4CKxT3rR0r1ST
Dredge School Administration System - '/DSM/loader.php' Cross-Site Request Forgery (Admin Account Manipulation)
by AtT4CKxT3rR0r1ST
Command School Student Management System 1.06.01 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to hijack the authentication of (1) administrators for requests that change the administrator password via an update action to sw/admin_change_password.php or (2) unspecified victims for requests that add a topic or blog entry to sw/add_topic.php. NOTE: vector 2 can be leveraged to bypass the authentication requirements for exploiting vector 1 in CVE-2014-1914.
by AtT4CKxT3rR0r1ST
Command School Student Management System 1.06.01 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to hijack the authentication of (1) administrators for requests that change the administrator password via an update action to sw/admin_change_password.php or (2) unspecified victims for requests that add a topic or blog entry to sw/add_topic.php. NOTE: vector 2 can be leveraged to bypass the authentication requirements for exploiting vector 1 in CVE-2014-1914.
by AtT4CKxT3rR0r1ST
Piwigo - 'admin.php' Cross-Site Request Forgery (User Creation)
by sajith
Sunil Nanda Blue Wrench Video Widget < 1.0.5 - CSRF
Cross-site request forgery (CSRF) vulnerability in bluewrench-video-widget.php in the Blue Wrench Video Widget plugin before 2.0.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that embed arbitrary URLs via the bw_url parameter in the bw-videos page to wp-admin/admin.php, as demonstrated by embedding a URL to a JavaScript file.
by Haider Mahmood
By Source