Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-113556 EXPLOITDB text
WordPress Plugin All In One WP Security & Firewall 3.8.3 - Persistent Cross-Site Scripting
by Vulnerability-Lab
CVE-2014-5308 EXPLOITDB text VERIFIED
TestLink 1.9.11 - Authenticated SQL Injection via Name or ID Parameter
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
by Portcullis
EIP-2026-111685 EXPLOITDB text
RBS Change Complet Open Source 3.6.8 - Cross-Site Request Forgery
by Krusty Hack
CVE-2014-6389 EXPLOITDB text VERIFIED
PHPCompta/NOALYSS <6.7.2 - Command Injection
backup.php in PHPCompta/NOALYSS before 6.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the d parameter.
by Portcullis
CVE-2014-8295 EXPLOITDB text VERIFIED
Bacula-Web 5.2.10 - SQL Injection via Joblogs JobID Parameter
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
by wishnusakti
CVE-2014-5300 EXPLOITDB text
Adaptive Computing Moab < 7.2.9 and 8 < 8.0.0 - Unauthenticated Authentication Bypass via Message Without Signature
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.
by MWR InfoSecurity
CVE-2014-4312 EXPLOITDB text
Epicor Enterprise < 7.4 - Cross-Site Scripting via Multiple Input Fields
Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to "Order to consume"; (3) Favorites name section to Favorites; (4) FiltKeyword parameter to Procurement/EKPHTML/search_item_bt.asp; (5) Act parameter to Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp; (6) hdnOpener or (7) hdnApproverFieldName parameter to Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp; or (8) INTEGRATED parameter to Procurement/EKPHTML/EnterpriseManager/Codes.asp.
by Fara Rustein
EIP-2026-102244 EXPLOITDB text
GS Foto Uebertraeger 3.0 iOS - Local File Inclusion
by Vulnerability-Lab
CVE-2004-1569 EXPLOITDB text
dBpowerAMP Audio Player and Music Converter - Buffer Overflow via Long Filename in Playlist
Buffer overflow in (1) MusicConverter.exe, (2) playlist.exe, and (3) amp.exe in dBpowerAMP Audio Player 2.0 and dbPowerAmp Music Converter 10.0 allows remote attackers to cause a denial of service or execute arbitrary code via a .pls or .m3u playlist that contains long File1 (filename) fields.
by GulfTech Security
CVE-2014-7201 EXPLOITDB text
TYPO3 dmmjobcontrol <2.14.0 - SQL Injection
Multiple SQL injection vulnerabilities in the search function in pi1/class.tx_dmmjobcontrol_pi1.php in the JobControl (dmmjobcontrol) extension 2.14.0 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via the (1) education, (2) region, or (3) sector fields, as demonstrated by the tx_dmmjobcontrol_pi1[search][sector][] parameter to jobs/.
by Adler Freiheit
CVE-2014-6312 EXPLOITDB text
Login Widget With Shortcode < 3.2.1 - CSRF and Stored XSS via custom_style_afo
Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php.
by dxw
CVE-2014-6242 EXPLOITDB text
All In One WP Security & Firewall <3.8.3 - SQL Injection
Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
by High-Tech Bridge SA
CVE-2014-6308 EXPLOITDB text VERIFIED
OsClass < 3.4.2 - Path Traversal via File Parameter in oc-admin/index.php
Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.
by Netsparker
CVE-2014-8307 EXPLOITDB text
C97net Cart Engine < 3.0 - Cross-Site Scripting via Path Parameter or Print This Page Variable
Multiple cross-site scripting (XSS) vulnerabilities in skins/default/outline.tpl in C97net Cart Engine before 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) path parameter in the "drop down TOP menu (with path)" section or (2) print_this_page variable in the footer_content_block section, as demonstrated by the QUERY_STRING to (a) index.php, (b) checkout.php, (c) contact.php, (d) detail.php, (e) distro.php, (f) newsletter.php, (g) page.php, (h) profile.php, (i) search.php, (j) sitemap.php, (k) task.php, or (l) tell.php.
by Quantum Leap
CVE-2014-7910 EXPLOITDB text VERIFIED
Google Chrome < 39.0.2171.65 - Denial of Service or Other Impact
Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
by Stephane Chazelas
CVE-2014-5258 EXPLOITDB text
webEdition CMS < 6.3.8.0 - Authenticated Path Traversal via showTempFile.php file Parameter
Directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.
by High-Tech Bridge SA
CVE-2014-6619 EXPLOITDB text
Restaurant Script PizzaInn_Project 1.0.0 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in register-exec.php in Restaurant Script (PizzaInn_Project) 1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fname, (2) lname, or (3) login parameter.
by Kenneth F. Belva
EIP-2026-107439 EXPLOITDB text
Glype 1.4.9 - Local Address Filter Bypass
by Securify
EIP-2026-107438 EXPLOITDB text
Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion
by Securify
CVE-2009-3542 EXPLOITDB text VERIFIED
LittleSite 0.1 - Path Traversal and Arbitrary File Execution via File Parameter
Directory traversal vulnerability in ls.php in LittleSite (aka LS or LittleSite.php) 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
by Eolas_Gadai
CVE-2014-6607 EXPLOITDB text
M/Monit <3.3.2 - Privilege Escalation
M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409.
by Dolev Farhi
EIP-2026-113007 EXPLOITDB text
vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection
by Dave
CVE-2014-6409 EXPLOITDB text
m/monit < 3.3.2 - Cross-Site Request Forgery via User Update Endpoint
Cross-site request forgery (CSRF) vulnerability in M/Monit 3.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that change user passwords via the fullname and password parameters to /admin/users/update.
by Dolev Farhi
CVE-2014-6420 EXPLOITDB MEDIUM text
Livefyre LiveComments 3.0 - Stored Cross-Site Scripting via Uploaded Picture Name
Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.
by Brij Kishore Mishra
CVSS 6.1
CVE-2014-6030 EXPLOITDB text
ClassApps SelectSurvey.NET < 4.125.002 - SQL Injection via SurveyID Parameter
Multiple SQL injection vulnerabilities in ClassApps SelectSurvey.NET before 4.125.002 allow (1) remote attackers to execute arbitrary SQL commands via the SurveyID parameter to survey/ReviewReadOnlySurvey.aspx or (2) remote authenticated users to execute arbitrary SQL commands via the SurveyID parameter to survey/UploadImagePopupToDb.aspx.
by BillV-Lists