Text Exploits
31,394 exploits tracked across all sources.
HybridAuth 2.0.9-2.2.2 - Unauthenticated Remote Code Execution via install.php Config Injection
A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.
by @u0x
Pro Chat Rooms Text Chat Rooms 8.2.0 - Authenticated SQL Injection via Password, Email, or ID Parameter
Multiple SQL injection vulnerabilities in includes/functions.php in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) password, (2) email, or (3) id parameter.
by Mike Manzotti
WordPress Plugin wpSS - 'ss_handler.php' SQL Injection
by Ashiyane Digital Security Team
Pro Chat Rooms Text Chat Rooms 8.2.0 - Authenticated Cross-Site Scripting via Profile Picture Upload or Edit Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php.
by Mike Manzotti
Barracuda WAF 7.8.1.013 - Auth Bypass
Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.
by Nick Hayes
CVSS 9.8
RaidenTunes - 'music_out.php' Cross-Site Scripting
by LiquidWorm
TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) - Command Execution
by Christoph Kuhl
status2k 2.5 - Remote Code Execution via Multies Parameter
A vulnerability exits in Status2K 2.5 Server Monitoring Software via the multies parameter to includes/functions.php, which could let a malicious user execute arbitrary PHP code.
by Shayan S
CVSS 9.8
sphider < 1.3.6, sphider-pro < 3.2, sphider-plus < 3.2 - Authentication Bypass
sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus prior to 3.2 allow authentication bypass
by Shayan S
CVSS 9.8
status2k - Unauthenticated Sensitive Information Exposure via phpinfo Action
Status2k allows remote attackers to obtain configuration information via a phpinfo action in a request to status/index.php, which calls the phpinfo function.
by Shayan S
Sphider < 1.3.6 - Remote Code Execution via admin/spiderfuncs.php
A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to exec calls in admin/spiderfuncs.php, which could let a remote malicious user execute arbitrary code.
by Shayan S
CVSS 9.8
ArticleFR 11.06.2014 - Privilege Escalation
A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information.
by High-Tech Bridge SA
CVSS 9.8
ISPConfig 3.0.54p1 - (Authenticated) Admin Privilege Escalation
by mra
TigerCom iFolder+ 1.2 iOS - Multiple Vulnerabilities
by Vulnerability-Lab
D-Link DWR-113 Firmware < 2.03b02 - Cross-Site Request Forgery
Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev. Ax) with firmware before 2.03b02 allows remote attackers to hijack the authentication of administrators for requests that change the admin password via unspecified vectors.
by Blessen Thomas
CVSS 8.8
Sphider 1.3.6 - Cross-Site Scripting via Category Parameter
Cross-site scripting (XSS) vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the category parameter. NOTE: the url parameter vector is already covered by CVE-2014-5082.
by Mike Manzotti
Sphider 1.3.6 - SQL Injection via Admin Filter Parameter
SQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to execute arbitrary SQL commands via the filter parameter.
by Mike Manzotti
sphider < 1.3.6 - SQL Injection via site_id or url Parameter
Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Sphider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.
by Mike Manzotti
By Source