Exploitdb Exploits
31,394 exploits tracked across all sources.
WordPress Plugin All In One WP Security & Firewall 3.8.3 - Persistent Cross-Site Scripting
by Vulnerability-Lab
TestLink 1.9.11 - Authenticated SQL Injection via Name or ID Parameter
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
by Portcullis
RBS Change Complet Open Source 3.6.8 - Cross-Site Request Forgery
by Krusty Hack
PHPCompta/NOALYSS <6.7.2 - Command Injection
backup.php in PHPCompta/NOALYSS before 6.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the d parameter.
by Portcullis
Bacula-Web 5.2.10 - SQL Injection via Joblogs JobID Parameter
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
by wishnusakti
Adaptive Computing Moab < 7.2.9 and 8 < 8.0.0 - Unauthenticated Authentication Bypass via Message Without Signature
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.
by MWR InfoSecurity
Epicor Enterprise < 7.4 - Cross-Site Scripting via Multiple Input Fields
Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to "Order to consume"; (3) Favorites name section to Favorites; (4) FiltKeyword parameter to Procurement/EKPHTML/search_item_bt.asp; (5) Act parameter to Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp; (6) hdnOpener or (7) hdnApproverFieldName parameter to Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp; or (8) INTEGRATED parameter to Procurement/EKPHTML/EnterpriseManager/Codes.asp.
by Fara Rustein
GS Foto Uebertraeger 3.0 iOS - Local File Inclusion
by Vulnerability-Lab
dBpowerAMP Audio Player and Music Converter - Buffer Overflow via Long Filename in Playlist
Buffer overflow in (1) MusicConverter.exe, (2) playlist.exe, and (3) amp.exe in dBpowerAMP Audio Player 2.0 and dbPowerAmp Music Converter 10.0 allows remote attackers to cause a denial of service or execute arbitrary code via a .pls or .m3u playlist that contains long File1 (filename) fields.
by GulfTech Security
TYPO3 dmmjobcontrol <2.14.0 - SQL Injection
Multiple SQL injection vulnerabilities in the search function in pi1/class.tx_dmmjobcontrol_pi1.php in the JobControl (dmmjobcontrol) extension 2.14.0 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via the (1) education, (2) region, or (3) sector fields, as demonstrated by the tx_dmmjobcontrol_pi1[search][sector][] parameter to jobs/.
by Adler Freiheit
Login Widget With Shortcode < 3.2.1 - CSRF and Stored XSS via custom_style_afo
Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php.
by dxw
All In One WP Security & Firewall <3.8.3 - SQL Injection
Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
by High-Tech Bridge SA
OsClass < 3.4.2 - Path Traversal via File Parameter in oc-admin/index.php
Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.
by Netsparker
C97net Cart Engine < 3.0 - Cross-Site Scripting via Path Parameter or Print This Page Variable
Multiple cross-site scripting (XSS) vulnerabilities in skins/default/outline.tpl in C97net Cart Engine before 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) path parameter in the "drop down TOP menu (with path)" section or (2) print_this_page variable in the footer_content_block section, as demonstrated by the QUERY_STRING to (a) index.php, (b) checkout.php, (c) contact.php, (d) detail.php, (e) distro.php, (f) newsletter.php, (g) page.php, (h) profile.php, (i) search.php, (j) sitemap.php, (k) task.php, or (l) tell.php.
by Quantum Leap
Google Chrome < 39.0.2171.65 - Denial of Service or Other Impact
Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
by Stephane Chazelas
webEdition CMS < 6.3.8.0 - Authenticated Path Traversal via showTempFile.php file Parameter
Directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.
by High-Tech Bridge SA
Restaurant Script PizzaInn_Project 1.0.0 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in register-exec.php in Restaurant Script (PizzaInn_Project) 1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fname, (2) lname, or (3) login parameter.
by Kenneth F. Belva
Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion
by Securify
LittleSite 0.1 - Path Traversal and Arbitrary File Execution via File Parameter
Directory traversal vulnerability in ls.php in LittleSite (aka LS or LittleSite.php) 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
by Eolas_Gadai
M/Monit <3.3.2 - Privilege Escalation
M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409.
by Dolev Farhi
vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection
by Dave
m/monit < 3.3.2 - Cross-Site Request Forgery via User Update Endpoint
Cross-site request forgery (CSRF) vulnerability in M/Monit 3.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that change user passwords via the fullname and password parameters to /admin/users/update.
by Dolev Farhi
Livefyre LiveComments 3.0 - Stored Cross-Site Scripting via Uploaded Picture Name
Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.
by Brij Kishore Mishra
CVSS 6.1
ClassApps SelectSurvey.NET < 4.125.002 - SQL Injection via SurveyID Parameter
Multiple SQL injection vulnerabilities in ClassApps SelectSurvey.NET before 4.125.002 allow (1) remote attackers to execute arbitrary SQL commands via the SurveyID parameter to survey/ReviewReadOnlySurvey.aspx or (2) remote authenticated users to execute arbitrary SQL commands via the SurveyID parameter to survey/UploadImagePopupToDb.aspx.
by BillV-Lists
By Source