Exploitdb Exploits
31,394 exploits tracked across all sources.
ferretCMS 1.0.4-alpha - Cross-Site Request Forgery in admin.php
Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3) unrestricted file upload attacks.
by Steffen Rösemann
Symantec SCSP <5.2.9, SDCS:SA <6.0 MP1 - Auth Bypass
The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors.
by SEC Consult
CMSJunkie J-ClassifiedsManager - Cross-Site Scripting via View Parameter
Cross-site scripting (XSS) vulnerability in the CMSJunkie J-ClassifiedsManager component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the view parameter to /classifieds.
by Sarath Nair
ZOHO ManageEngine ServiceDesk Plus <9.0 build 9031 - Info Disclosure
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp.
by Rewterz - Research Group
ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting
by Ertebat Gostar Co
Android < 5.0.1 - Denial of Service via Crafted 802.11 Probe Response Frame
WiFiMonitor in Android 4.4.4 as used in the Nexus 5 and 4, Android 4.2.2 as used in the LG D806, Android 4.2.2 as used in the Samsung SM-T310, Android 4.1.2 as used in the Motorola RAZR HD, and potentially other unspecified Android releases before 5.0.1 and 5.0.2 does not properly handle exceptions, which allows remote attackers to cause a denial of service (reboot) via a crafted 802.11 probe response frame.
by Core Security
CVSS 7.5
NPDS Revolution 13 - SQL Injection via Search Query Parameter
SQL injection vulnerability in search.php in NPDS Revolution 13 allows remote attackers to execute arbitrary SQL commands via the query parameter.
by Narendra Bhati
xlinkerz ecommerceMajor - SQL Injection
Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2) username or (3) password parameter to __admin/index.php.
by Manish Tanwar
ManageEngine ServiceDesk Plus 9.0 - User Enumeration
by Muhammad Ahmed Siddiqui
ZOHO ManageEngine SDP <9.0.9031 - SQL Injection
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
by Muhammad Ahmed Siddiqui
Cisco Ironport Appliances - Privilege Escalation
by Glafkos Charalambous
Free Reprintables ArticleFR <3.0.5 - SQL Injection
SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.
by TranDinhTien
Pixabay Images <2.4 - Code Injection
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
by Hans-Martin Muench
pixabay_images < 2.3 - Cross-Site Scripting via image_user Parameter
Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.
by Hans-Martin Muench
Pixabay Images <2.4 - Path Traversal
Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
by Hans-Martin Muench
Pixabay Images <2.4 - Code Injection
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.
by Hans-Martin Muench
cformsII < 14.7 - Unauthenticated Arbitrary File Upload via cf_uploadfile2 Parameter
Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the cf_uploadfile2[] parameter, then accessing the file via a direct request to the file in the default upload directory.
by Zakhar
By Source