Exploitdb Exploits
31,394 exploits tracked across all sources.
CorelDRAW X7 CDR File - 'CdrTxt.dll' Off-by-One Stack Corruption
by LiquidWorm
WordPress SupportEzzy Ticket System 1.2.5 - XSS
Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket.
by Halil Dalabasmaz
Photo Gallery 1.2.5 - Info Disclosure
Unrestricted File Upload vulnerability in Photo Gallery 1.2.5.
by Kacper Szurek
CVSS 8.8
Subex ROC Fraud Mgmt <7.4 - SQL Injection
SQL injection vulnerability in the login page (login/login) in Subex ROC Fraud Management (aka Fraud Management System and FMS) 7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ranger_user[name] parameter.
by Anastasios Monachos
ManageEngine Password Manager Pro < 7.1 - Authenticated SQL Injection via BulkEditSearchResult.cc SEARCH_ALL Parameter
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.
by Pedro Ribeiro
vldPersonals < 2.7 - Cross-Site Scripting via Member Profile ID Parameter
Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php.
by Mr T
Another WordPress Classifieds Plugin - SQL Injection via keywordphrase Parameter
SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.
by dill
XCloner 3.1.1 and 3.5.1 - Exposure of Sensitive Information via Command Line Arguments
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.
by Larry W. Cashdollar
vldPersonals <2.7.1 - SQL Injection
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via the (1) country, (2) gender1, or ((3) gender2 parameter in a search action to index.php.
by Mr T
Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities
by Halil Dalabasmaz
phpSound 1.0.5 - Stored Cross-Site Scripting via Playlist Title or Description
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.php.
by Halil Dalabasmaz
php-fusion 7.02.07 - Authenticated SQL Injection via submit_id or status Parameter
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php.
by XLabs Security
ManageEngine Password Manager Pro < 7.1 - Authenticated SQL Injection via SEARCH_ALL Parameter
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.
by Pedro Ribeiro
ManageEngine OpManager 11.3-11.4, IT360 10.3-10.4, Social IT Plus 11.0 SQL Injection
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
by Pedro Ribeiro
Barracuda - Multiple Unauthentication Logfile Downloads
by 4CKnowLedge
ManageEngine OpManager 11.3-11.4, IT360 10.3-10.4, Social IT Plus 11.0 SQL Injection
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
by Pedro Ribeiro
VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read
by KoreLogic
Symantec Endpoint Protection Manager <12.1 - RCE
ConsoleServlet in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU5 allows remote attackers to write to arbitrary files via unspecified vectors.
by SEC Consult
Mouse Media Script 1.6 - Persistent Cross-Site Scripting
by Halil Dalabasmaz
MODX Revolution <2.2.15 - Info Disclosure
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
by Narendra Bhati
ManageEngine EventLog Analyzer 7-9.9 - Credentials Disclosure
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.
by Pedro Ribeiro
CVSS 7.5
Google Chrome < 39.0.2171.65 - Denial of Service or Other Impact
Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
by Ryan King (Starfall)
By Source