Exploitdb Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-119429 EXPLOITDB text
Soitec SmartEnergy 1.4 - SCADA Login SQL Injection / Authentication Bypass
by LiquidWorm
EIP-2026-111741 EXPLOITDB text
ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling
by Adler Freiheit
CVE-2014-9258 EXPLOITDB text
GLPI < 0.85 - Authenticated SQL Injection via Dropdown Condition Parameter
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
by Kacper Szurek
CVE-2014-9218 EXPLOITDB text
phpMyAdmin <4.0.10.7-4.2.13.1 - DoS
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.
by Javer Nieto & Andres Rojas
CVE-2015-0107 EXPLOITDB MEDIUM text
IBM Maximo Asset Management 7.1-7.1.1.8, 7.5 < 7.5.0.7 IFIX003, 7.6 < 7.6.0.0 IFIX002 - Authenticated Path Traversal
IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to conduct directory traversal attacks via unspecified vectors.
by Jakub Palaczynski
CVSS 6.5
CVE-2014-5462 EXPLOITDB text VERIFIED
OpenEMR < 4.1.2 - Authenticated SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) layout_id parameter to interface/super/edit_layout.php; (2) form_patient_id, (3) form_drug_name, or (4) form_lot_number parameter to interface/reports/prescriptions_report.php; (5) payment_id parameter to interface/billing/edit_payment.php; (6) id parameter to interface/forms_admin/forms_admin.php; (7) form_pid or (8) form_encounter parameter to interface/billing/sl_eob_search.php; (9) sortby parameter to interface/logview/logview.php; form_facility parameter to (10) procedure_stats.php, (11) pending_followup.php, or (12) pending_orders.php in interface/orders/; (13) patient, (14) encounterid, (15) formid, or (16) issue parameter to interface/patient_file/deleter.php; (17) search_term parameter to interface/patient_file/encounter/coding_popup.php; (18) text parameter to interface/patient_file/encounter/search_code.php; (19) form_addr1, (20) form_addr2, (21) form_attn, (22) form_country, (23) form_freeb_type, (24) form_partner, (25) form_name, (26) form_zip, (27) form_state, (28) form_city, or (29) form_cms_id parameter to interface/practice/ins_search.php; (30) form_pid parameter to interface/patient_file/problem_encounter.php; (31) patient, (32) form_provider, (33) form_apptstatus, or (34) form_facility parameter to interface/reports/appointments_report.php; (35) db_id parameter to interface/patient_file/summary/demographics_save.php; (36) p parameter to interface/fax/fax_dispatch_newpid.php; or (37) patient_id parameter to interface/patient_file/reminder/patient_reminders.php.
by Portcullis
CVE-2014-9528 EXPLOITDB text
HumHub <0.10.0-rc.1 - SQL Injection
SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.
by Jos Wetzels_ Emiel Florijn
EIP-2026-107680 EXPLOITDB text
Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities
by Jos Wetzels_ Emiel Florijn
CVE-2014-8810 EXPLOITDB text
WP Symposium <14.11 - SQL Injection
SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter in a getMailMessage action.
by Kacper Szurek
EIP-2026-113550 EXPLOITDB text
WordPress Plugin Ajax Store Locator 1.2 - Arbitrary File Download
by Claudio Viviani
EIP-2026-110511 EXPLOITDB text
PBBoard CMS - Persistent Cross-Site Scripting
by Manish Tanwar
EIP-2026-107731 EXPLOITDB text
IceHrm 7.1 - Multiple Vulnerabilities
by LiquidWorm
EIP-2026-107208 EXPLOITDB text VERIFIED
Free Article Submissions 1.0 - SQL Injection
by BarrabravaZ
CVE-2014-9215 EXPLOITDB text
PBBoard < 3.0.1 - SQL Injection via Email Parameter in Register Page
SQL injection vulnerability in the CheckEmail function in includes/functions.class.php in PBBoard 3.0.1 before 20141128 allows remote attackers to execute arbitrary SQL commands via the email parameter in the register page to index.php. NOTE: the email parameter in the forget page vector is already covered by CVE-2012-4034.2.
by Tran Dinh Tien
EIP-2026-103356 EXPLOITDB text
Offset2lib - Bypassing Full ASLR On 64 bit Linux
by Packet Storm
CVE-2014-9143 EXPLOITDB text
Technicolor Router TD5130 - Open Redirect
Open redirect vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the failrefer parameter.
by Crash
CVE-2014-9142 EXPLOITDB text
Technicolor Router TD5130 - Firmware 2.05.C29GV - XSS
Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter.
by Crash
CVE-2014-9144 EXPLOITDB text
Technicolor Router TD5130 <2.05.C29GV - RCE
Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter).
by Crash
CVE-2014-9345 EXPLOITDB text
Guruperl.net AWP PRO <6.6 - SQL Injection
SQL injection vulnerability in Guruperl.net Advertise With Pleasure! Professional (aka AWP PRO) 6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a list_zone action to cgi/client.cgi.
by Robert Cooper
CVE-2014-9173 EXPLOITDB text
Google Doc Embedder <2.5.15 - SQL Injection
SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.
by Securely (Yoo Hee man)
EIP-2026-113634 EXPLOITDB text VERIFIED
WordPress Plugin CodeArt Google MP3 Player - File Disclosure Download
by QK14 Team
CVE-2014-9305 EXPLOITDB text
Cart66 Lite < 1.5.1.17 - Authenticated SQL Injection via id Parameter
SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php.
by Kacper Szurek
CVE-2014-5446 EXPLOITDB text
ManageEngine Netflow Analyzer 8.6-10.2 and IT360 10.3 - Path Traversal via DisplayChartPDF Filename Parameter
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.
by Pedro Ribeiro
EIP-2026-103028 EXPLOITDB text
VFU 4.10-1.1 - Local Buffer Overflow
by Juan Sacco
CVE-2014-9141 EXPLOITDB text
Thomson Reuters Fixed Assets CS <13.1.4 - Code Injection
The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program.
by Information Paradox