Text Exploits
31,386 exploits tracked across all sources.
ALC WebCTRL <6.5 - Path Traversal
A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.
by LiquidWorm
CVSS 6.3
Joomla! Component Flip Wall 8.0 SQL Injection
Joomla! Component Flip Wall 8.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wallid parameter. Attackers can send GET requests to index.php with the option=com_flipwall&task=click&wallid parameter containing SQL injection payloads to extract sensitive database information.
by Ihsan Sencan
CVSS 7.1
Joomla! Component Sponsor Wall 8.0 SQL Injection
Joomla! Component Sponsor Wall 8.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wallid parameter. Attackers can send GET requests to index.php with the option=com_sponsorwall&task=click&wallid parameter containing SQL injection payloads to extract sensitive database information including credentials and configuration data.
by Ihsan Sencan
CVSS 7.1
Joomla! FocalPoint Pro Free 1.2.3 SQL Injection via location
Joomla! Component FocalPoint Pro/Free 1.2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_focalpoint, view=location, and a crafted id parameter containing SQL commands to extract sensitive database information.
by Ihsan Sencan
CVSS 8.2
Joomla! Component Ajax Quiz 1.8 SQL Injection
Joomla! Component Ajax Quiz 1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cid parameter. Attackers can send GET requests to index.php with the option=com_ajaxquiz and view=ajaxquiz parameters to extract sensitive database information including table names and column structures.
by Ihsan Sencan
CVSS 8.2
Apache2Triad 1.5.4 - Cross-Site Request Forgery in User Account Management
Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack the authentication of authenticated users for requests that (1) add or (2) delete user accounts via a request to phpsftpd/users.php.
by hyp3rlinx
CVSS 8.8
Apache2Triad 1.5.4 - Info Disclosure
Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
by hyp3rlinx
CVSS 9.8
PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution via Crafted PDF File
The launchURL function in PDF-XChange Viewer 2.5 (Build 314.0) might allow remote attackers to execute arbitrary code via a crafted PDF file.
by Daniele Votta
CVSS 7.8
PHPMyWind 5.3 - Stored Cross-Site Scripting in Shopping Cart Message Handling
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
by 小雨
CVSS 6.1
Apache2Triad 1.5.4 - Cross-Site Scripting via phpsftpd/users.php Account Parameter
Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the account parameter to phpsftpd/users.php.
by hyp3rlinx
CVSS 6.1
(Bitcoin / Dogecoin) PHP Cloud Mining Script - Authentication Bypass
by Ihsan Sencan
Joomla! Component Twitch Tv 1.1 SQL Injection
Joomla! Component Twitch Tv 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username and id parameters. Attackers can send GET requests to index.php with option=com_twitchtv and view parameters containing SQL injection payloads to extract sensitive database information including credentials and configuration data.
by Ihsan Sencan
CVSS 8.2
Joomla! Component KissGallery 1.0.0 SQL Injection
Joomla! Component KissGallery 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the component URL path. Attackers can supply malicious SQL code in the kissgallery endpoint to execute arbitrary database queries and extract sensitive information.
by Ihsan Sencan
CVSS 8.2
Joomla! Component Zap Calendar Lite 4.3.4 SQL Injection
Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures.
by Ihsan Sencan
CVSS 8.2
Joomla! Component Calendar Planner 1.0.1 SQL Injection
Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the category_id parameter. Attackers can send GET requests to the events view with malicious SQL code in the category_id parameter to extract sensitive database information.
by Ihsan Sencan
CVSS 8.2
Joomla SP Movie Database 1.3 SQL Injection via searchword
Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword parameter. Attackers can send GET requests to the searchresults view with crafted SQL payloads in the searchword parameter to extract sensitive database information.
by Ihsan Sencan
CVSS 8.2
OSNEXUS QuantaStor < 4.3.0 - User Enumeration via Error Message
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on the system by searching for common usernames.
by VVVSecurity
CVSS 5.3
NoviWare < 400.2.6 - Unauthenticated Remote Code Execution via Packet Data OS Command Injection
A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because incoming packet data can contain embedded OS commands, and can also trigger a stack-based buffer overflow.
by François Goichon
CVSS 9.8
By Source