Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2014-5007 EXPLOITDB CRITICAL text
ManageEngine Desktop Central 7.0-9.0 - Path Traversal & Arbitrary File Write via AgentLogUploader
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
by Pedro Ribeiro
CVSS 9.8
CVE-2014-2927 EXPLOITDB text
F5 Arx - Authentication Bypass
The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before HF9, and 11.2.1 before HF11 and Enterprise Manager 3.x before 3.1.1 HF2, when configured in failover mode, does not require authentication, which allows remote attackers to read or write to arbitrary files via a cmi request to the ConfigSync IP address.
by Security-Assessment.com
CVE-2014-5465 EXPLOITDB text VERIFIED
Download Shortcode < 0.2.3 - Path Traversal via File Parameter
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
by Mehdi Karout & Christian Galeone
CVE-2014-5377 EXPLOITDB text
ManageEngine DeviceExpert < 5.9 - Unauthenticated Exposure of Sensitive Information via ReadUsersFromMasterServlet
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
by Pedro Ribeiro
EIP-2026-114192 EXPLOITDB text
WordPress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
by Mike Manzotti
EIP-2026-108872 EXPLOITDB text VERIFIED
Joomla! Component spidervideoplayer - 'theme' SQL Injection
by Claudio Viviani
CVE-2014-5464 EXPLOITDB text
ntopng < 1.2.1 - Cross-Site Scripting via HTTP Host Header
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
by Steffen Bauch
CVE-2014-2081 EXPLOITDB text VERIFIED
Innovative vtls-Virtua <2014.1.1 - SQL Injection
Multiple SQL injection vulnerabilities in the login in web_reports/cgi-bin/InfoStation.cgi in Innovative vtls-Virtua before 2013.2.4 and 2014.x before 2014.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.
by José Tozo
EIP-2026-110765 EXPLOITDB text VERIFIED
PHP Stock Management System 1.02 - Multiple Persistent Cross-Site Scripting Vulnerabilities
by Ragha Deepthi K R
CVE-2014-5335 EXPLOITDB text
innovaphone PBX < 10.00 - Cross-Site Request Forgery via CMD0/mod_cmd.xml or PBX0/ADMIN/mod_cmd_login.xml
Multiple cross-site request forgery (CSRF) vulnerabilities in innovaphone PBX 10.00 sr11 and earlier allow remote attackers to hijack the authentication of administrators for requests that modify configurations or user accounts, as demonstrated by (1) changing the administrator password via a crafted request to CMD0/mod_cmd.xml or (2) adding a new SIP user via a crafted request to PBX0/ADMIN/mod_cmd_login.xml.
by Rainer Giedat
EIP-2026-113852 EXPLOITDB text VERIFIED
WordPress Plugin KenBurner Slider - 'admin-ajax.php' Arbitrary File Download
by MF0x
EIP-2026-102196 EXPLOITDB text
Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities
by Samandeep Singh
CVE-2004-2566 EXPLOITDB text
LiveWorld LiveChat LiveForum LiveQ&A LiveFocusGroup - Cross-Site Scripting via q Parameter
Multiple cross-site scripting (XSS) vulnerabilities in LiveWorld products, possibly including (1) LiveForum, (2) LiveQ&A, (3) LiveChat, and (4) LiveFocusGroup, allow remote attackers to inject arbitrary web script or HTML via the q parameter in (a) search.jsp, (b) findclub!execute.jspa, and (c) search!execute.jspa.
by GulfTech Security
EIP-2026-109679 EXPLOITDB text VERIFIED
MyAwards MyBB Module - Cross-Site Request Forgery
by Vagineer
EIP-2026-109697 EXPLOITDB text VERIFIED
MyBB 1.8 Beta 3 - Multiple Vulnerabilities
by DemoLisH B3yaZ
CVE-2014-5097 EXPLOITDB text VERIFIED
ArticleFR < 3.0.4 - SQL Injection via rate.php id Parameter
Multiple SQL injection vulnerabilities in Free Reprintables ArticleFR 3.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) get or (2) set action to rate.php.
by High-Tech Bridge
CVE-2014-3997 EXPLOITDB text VERIFIED
ManageEngine Password Manager Pro 5-7 build 7003 - SQL Injection via MetadataServlet sv Parameter
SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.
by Pedro Ribeiro
CVE-2014-5368 EXPLOITDB text VERIFIED
WP Content Source Control < 3.0.0 - Path Traversal via Path Parameter
Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
by Henri Salo
CVE-2014-5246 EXPLOITDB text
Tenda A5s Firmware 3.02.05_CN - Unauthenticated Authentication Bypass via admin:language Cookie
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain administrator access by setting the admin:language cookie to zh-cn.
by zixian
CVE-2014-8375 EXPLOITDB text VERIFIED
gb_gallery_slideshow 1.5 - Authenticated SQL Injection via selected_group Parameter
SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php.
by Claudio Viviani
CVE-2014-3978 EXPLOITDB text
TomatoCart <1.1.8.6.1 - SQL Injection
SQL injection vulnerability in TomatoCart 1.1.8.6.1 allows remote authenticated users to execute arbitrary SQL commands via the First Name and Last Name fields in a new address book contact.
by Breaking.Technology
EIP-2026-102282 EXPLOITDB text
PhotoSync Wifi & Bluetooth 1.0 - Local File Inclusion
by Vulnerability-Lab
EIP-2026-102225 EXPLOITDB text
Easy FTP Pro 4.2 iOS - Command Injection
by Vulnerability-Lab
EIP-2026-101081 EXPLOITDB text
Sky Broadband Router SR101 - Weak WPA-PSK Generation Algorithm
by Matt O'Connor
EIP-2026-101078 EXPLOITDB text
SHARP MX Series - Denial of Service
by pws