Text Exploits
31,394 exploits tracked across all sources.
ManageEngine Desktop Central 7.0-9.0 - Path Traversal & Arbitrary File Write via AgentLogUploader
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
by Pedro Ribeiro
CVSS 9.8
F5 Arx - Authentication Bypass
The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before HF9, and 11.2.1 before HF11 and Enterprise Manager 3.x before 3.1.1 HF2, when configured in failover mode, does not require authentication, which allows remote attackers to read or write to arbitrary files via a cmi request to the ConfigSync IP address.
by Security-Assessment.com
Download Shortcode < 0.2.3 - Path Traversal via File Parameter
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
by Mehdi Karout & Christian Galeone
ManageEngine DeviceExpert < 5.9 - Unauthenticated Exposure of Sensitive Information via ReadUsersFromMasterServlet
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
by Pedro Ribeiro
WordPress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
by Mike Manzotti
Joomla! Component spidervideoplayer - 'theme' SQL Injection
by Claudio Viviani
ntopng < 1.2.1 - Cross-Site Scripting via HTTP Host Header
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
by Steffen Bauch
Innovative vtls-Virtua <2014.1.1 - SQL Injection
Multiple SQL injection vulnerabilities in the login in web_reports/cgi-bin/InfoStation.cgi in Innovative vtls-Virtua before 2013.2.4 and 2014.x before 2014.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.
by José Tozo
PHP Stock Management System 1.02 - Multiple Persistent Cross-Site Scripting Vulnerabilities
by Ragha Deepthi K R
innovaphone PBX < 10.00 - Cross-Site Request Forgery via CMD0/mod_cmd.xml or PBX0/ADMIN/mod_cmd_login.xml
Multiple cross-site request forgery (CSRF) vulnerabilities in innovaphone PBX 10.00 sr11 and earlier allow remote attackers to hijack the authentication of administrators for requests that modify configurations or user accounts, as demonstrated by (1) changing the administrator password via a crafted request to CMD0/mod_cmd.xml or (2) adding a new SIP user via a crafted request to PBX0/ADMIN/mod_cmd_login.xml.
by Rainer Giedat
WordPress Plugin KenBurner Slider - 'admin-ajax.php' Arbitrary File Download
by MF0x
Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities
by Samandeep Singh
LiveWorld LiveChat LiveForum LiveQ&A LiveFocusGroup - Cross-Site Scripting via q Parameter
Multiple cross-site scripting (XSS) vulnerabilities in LiveWorld products, possibly including (1) LiveForum, (2) LiveQ&A, (3) LiveChat, and (4) LiveFocusGroup, allow remote attackers to inject arbitrary web script or HTML via the q parameter in (a) search.jsp, (b) findclub!execute.jspa, and (c) search!execute.jspa.
by GulfTech Security
MyAwards MyBB Module - Cross-Site Request Forgery
by Vagineer
MyBB 1.8 Beta 3 - Multiple Vulnerabilities
by DemoLisH B3yaZ
ArticleFR < 3.0.4 - SQL Injection via rate.php id Parameter
Multiple SQL injection vulnerabilities in Free Reprintables ArticleFR 3.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) get or (2) set action to rate.php.
by High-Tech Bridge
ManageEngine Password Manager Pro 5-7 build 7003 - SQL Injection via MetadataServlet sv Parameter
SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.
by Pedro Ribeiro
WP Content Source Control < 3.0.0 - Path Traversal via Path Parameter
Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
by Henri Salo
Tenda A5s Firmware 3.02.05_CN - Unauthenticated Authentication Bypass via admin:language Cookie
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain administrator access by setting the admin:language cookie to zh-cn.
by zixian
gb_gallery_slideshow 1.5 - Authenticated SQL Injection via selected_group Parameter
SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php.
by Claudio Viviani
TomatoCart <1.1.8.6.1 - SQL Injection
SQL injection vulnerability in TomatoCart 1.1.8.6.1 allows remote authenticated users to execute arbitrary SQL commands via the First Name and Last Name fields in a new address book contact.
by Breaking.Technology
PhotoSync Wifi & Bluetooth 1.0 - Local File Inclusion
by Vulnerability-Lab
Sky Broadband Router SR101 - Weak WPA-PSK Generation Algorithm
by Matt O'Connor
By Source