Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2014-9350 EXPLOITDB text
TP-Link TL-WR740N Firmware <=3.17.0 DoS via PingIframeRpm.htm isNew Parameter
TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm.
by LiquidWorm
CVE-2014-8387 EXPLOITDB text VERIFIED
Advantech EKI-6340 2.05 - Authenticated OS Command Injection via pinghost Parameter
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.
by Core Security
CVE-2014-9349 EXPLOITDB text
RobotStats 1.0 - Cross-Site Scripting via nom or user_agent Parameter
Multiple cross-site scripting (XSS) vulnerabilities in admin/robots.lib.php in RobotStats 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) nom or (2) user_agent parameter to admin/robots.php.
by ZoRLu Bugrahan
EIP-2026-117796 EXPLOITDB text
Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation
by LiquidWorm
CVE-2014-8877 EXPLOITDB text
CreativeMinds CM Downloads Manager <2.0.4 - RCE
The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.
by Phi Ngoc Le
EIP-2026-101882 EXPLOITDB text
Netgear WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access
by LiquidWorm
CVE-2014-9178 EXPLOITDB text VERIFIED
Smarty Pants Plugins SP Project & Document Manager <2.4.1 - SQL Inj...
Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.
by ITAS Team
CVE-2014-8801 EXPLOITDB text VERIFIED
Paid Memberships Pro <1.7.15 - Path Traversal
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.
by Kacper Szurek
CVE-2014-9237 EXPLOITDB text
Pricertif E-Commerce 3.0 - SQL Injection
SQL injection vulnerability in Proticaret E-Commerce 3.0 allows remote attackers to execute arbitrary SQL commands via a tem:Code element in a SOAP request.
by BGA Security
CVE-2014-1806 EXPLOITDB text
Microsoft .NET Framework <4.5.2 - RCE
The .NET Remoting implementation in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly restrict memory access, which allows remote attackers to execute arbitrary code via vectors involving malformed objects, aka "TypeFilterLevel Vulnerability."
by James Forshaw
CVE-2014-9236 EXPLOITDB text
Zoph < 0.9.1 - Cross-Site Scripting via photographer_id or _crumb Parameter
Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) photographer_id or (2) _crumb parameter.
by Manuel García Cárdenas
CVE-2014-9243 EXPLOITDB text
WebsiteBaker 2.8.3 - Cross-Site Scripting via QUERY_STRING or section_id Parameter
Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4) news/modify_group.php, (5) news/modify_post.php, or (6) news/modify_settings.php in wb/modules/.
by Manuel García Cárdenas
CVE-2014-8469 EXPLOITDB text
moxi9 phpfox < 3.7.6 - Cross-Site Scripting via User-Agent Header
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.
by spyk2r
EIP-2026-109715 EXPLOITDB text VERIFIED
MyBB Forums 1.8.2 - Persistent Cross-Site Scripting
by Avinash Thapa
CVE-2014-8995 EXPLOITDB text
Maarch LetterBox 2.8 - SQL Injection
SQL injection vulnerability in Maarch LetterBox 2.8 allows remote attackers to execute arbitrary SQL commands via the UserId cookie.
by ZoRLu Bugrahan
CVE-2014-8493 EXPLOITDB text
ZTE ZXHN H108L Firmware 4.0.0d_ZRQ_GR4 - Unauthenticated CWMP Configuration Modification
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.
by Project Zero Labs
CVE-2014-8493 EXPLOITDB text
ZTE ZXHN H108L Firmware 4.0.0d_ZRQ_GR4 - Unauthenticated CWMP Configuration Modification
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.
by Project Zero Labs
CVE-2014-100013 EXPLOITDB text
clientresponse 4.1 - Cross-Site Scripting via Subject or Message Field
Multiple cross-site scripting (XSS) vulnerabilities in clientResponse 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Subject or (2) Message field.
by Halil Dalabasmaz
CVE-2014-8682 EXPLOITDB text
Gogs 0.3.1-0.5.x - SQL Injection via Search API q Parameter
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
by Timo Schmid
CVE-2014-8681 EXPLOITDB text
Gogs 0.3.1-0.5.6.x - SQL Injection via Label Parameter
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.
by Timo Schmid
CVE-2014-9115 EXPLOITDB text
Piwigo <2.5.5, <2.6.x before 2.6.4, <2.7.x before 2.7.2 - SQL Injec...
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
by Manuel García Cárdenas
CVE-2014-9241 EXPLOITDB text
MyBB 1.8.x < 1.8.2 - Cross-Site Scripting via Report Type Parameter
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php.
by smash
CVE-2014-8997 EXPLOITDB text VERIFIED
DigitalVidhya Digi Online Examination System 2.0 - RCE
Unrestricted file upload vulnerability in the Photo functionality in DigitalVidhya Digi Online Examination System 2.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in assets/uploads/images/.
by Halil Dalabasmaz
CVE-2014-9237 EXPLOITDB text
Pricertif E-Commerce 3.0 - SQL Injection
SQL injection vulnerability in Proticaret E-Commerce 3.0 allows remote attackers to execute arbitrary SQL commands via a tem:Code element in a SOAP request.
by Onur Alanbel (BGA)
CVE-2014-8727 EXPLOITDB text
F5 BIG-IP Local Traffic Manager < 10.2.1 - Authenticated Path Traversal via Archive Properties or Form Name Parameter
Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (dot dot) in the name parameter to (1) tmui/Control/jspmap/tmui/system/archive/properties.jsp or (2) tmui/Control/form.
by Anastasios Monachos