Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2015-4683 EXPLOITDB CRITICAL text
Polycom RealPresence Resource Manager < 8.3.2 - Session ID Info Disclosure & Privilege Escalation
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
by SEC Consult
CVSS 9.8
CVE-2015-4682 EXPLOITDB MEDIUM text
Polycom RealPresence Resource Manager < 8.3.2 - Authenticated Installation Path Exposure via JConfigManager
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows remote authenticated users to obtain the installation path via an HTTP POST request to PlcmRmWeb/JConfigManager.
by SEC Consult
CVSS 6.5
CVE-2015-4681 EXPLOITDB HIGH text
Polycom RealPresence Resource Manager < 8.3.2 - Unspecified Impact via Weak Passwords
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords.
by SEC Consult
CVSS 7.8
CVE-2015-5452 EXPLOITDB text
Watchguard XCS <10.0 - SQL Injection
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to borderpost/imp/compose.php3.
by Security-Assessment.com
CVE-2015-5354 EXPLOITDB text
Novius OS 5.0.1 - Open Redirect via Login Redirect Parameter
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
by hyp3rlinx
CVE-2015-3934 EXPLOITDB CRITICAL text
Fiyo CMS 2.0_1.9.1 - SQL Injection via id Parameter or user Parameter
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
by cfreer
CVSS 9.8
EIP-2026-103270 EXPLOITDB text
CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion
by otr
EIP-2026-102542 EXPLOITDB text
WedgeOS 4.0.4 - Multiple Vulnerabilities
by Security-Assessment.com
CVE-2015-4685 EXPLOITDB HIGH text
Polycom RealPresence Resource Manager < 8.3.2 - Privilege Escalation via Sudo Misconfiguration
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users with access to the plcm account to gain privileges via a script in /var/polycom/cma/upgrade/scripts, related to a sudo misconfiguration.
by SEC Consult
CVSS 7.0
CVE-2015-4460 EXPLOITDB text
c2box < 4.0.0 - Cross-Site Request Forgery in UserManagement.aspx
Cross-site request forgery (CSRF) vulnerability in SecuritySetting/UserSecurity/UserManagement.aspx in B.A.S C2Box before 4.0.0 (r19171) allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via certain vectors.
by Wissam Bashour
CVE-2005-2112 EXPLOITDB text
XOOPS <= 2.0.11 - Cross-Site Scripting via Order or CID Parameter
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php.
by GulfTech Security
CVE-2015-4553 EXPLOITDB HIGH text
dedecms < 5.7-sp1 - Unrestricted File Upload
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
by zise
CVSS 8.8
CVE-2015-5082 EXPLOITDB text
Endian Firewall < 2.5.1 - Remote Command Execution via Password Change Parameters
Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.
by Ben Lincoln
CVE-2015-4630 EXPLOITDB HIGH text
Koha 3.14.00-3.14.15 - Cross-Site Request Forgery via Member Entry or Flag Endpoints
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 8.0
CVE-2015-2169 EXPLOITDB text
ManageEngine AssetExplorer 6.1 - Cross-Site Scripting via Publisher Registry Entry
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.
by Suraj Krishnaswami
CVE-2015-4633 EXPLOITDB CRITICAL text
Koha 3.14.00-3.14.15 - SQL Injection via OPAC Tags Subject Parameter
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 9.8
CVE-2015-4631 EXPLOITDB MEDIUM text
Koha 3.14.00-3.14.15 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 5.4
CVE-2015-4632 EXPLOITDB HIGH text
Koha 3.14.00-3.14.15 - Path Traversal via Template Path Parameter
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos
CVSS 7.5
CVE-2015-3443 EXPLOITDB text
Thycotic Secret Server <8.8.000005 - XSS
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the password mask.
by Marco Delai
EIP-2026-113814 EXPLOITDB text
WordPress Plugin Huge-IT Slider 2.7.5 - Multiple Vulnerabilities
by i0akiN SEC-LABORATORY
CVE-2015-4117 EXPLOITDB HIGH text VERIFIED
Vesta Control Panel < 0.9.8-14 - Authenticated Remote Code Execution via Backup Parameter
Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php.
by High-Tech Bridge SA
CVSS 8.8
EIP-2026-108540 EXPLOITDB text
Joomla! Component com_simpleimageupload - Arbitrary File Upload
by CrashBandicot
CVE-2015-5066 EXPLOITDB text
GeniXCMS 0.0.3 - Cross-Site Scripting via Posts Page Parameters
Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix GeniXCMS 0.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) content or (2) title field in an add action in the posts page to index.php or the (3) q parameter in the posts page to index.php.
by hyp3rlinx
CVE-2015-3933 EXPLOITDB CRITICAL text
MetalGenix GeniXCMS <0.0.3-patch - SQL Injection
Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.
by cfreer
CVSS 9.8
CVE-2015-3112 EXPLOITDB text VERIFIED
Adobe Photoshop CC <16.0 - Memory Corruption
Adobe Photoshop CC before 16.0 (aka 2015.0.0) and Adobe Bridge CC before 6.11 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
by Francis Provencher