Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2014-9099 EXPLOITDB text VERIFIED
WhyDoWork AdSense 1.2 - Cross-Site Request Forgery via wp-admin/options-general.php
Cross-site request forgery (CSRF) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the whydowork_adsense page in wp-admin/options-general.php.
by Dylan Irzi
CVE-2014-5189 EXPLOITDB text VERIFIED
Lead Octopus - SQL Injection via id Parameter
SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Amirh03in
CVE-2014-5200 EXPLOITDB text VERIFIED
FB Gorilla - SQL Injection via game_play.php id Parameter
SQL injection vulnerability in game_play.php in the FB Gorilla plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Amirh03in
CVE-2014-5194 EXPLOITDB text VERIFIED
Sphider 1.3.6 - Authenticated PHP Code Injection via _word_upper_bound Parameter
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
by Mike Manzotti
CVE-2014-9101 EXPLOITDB text
Oxwall 1.7.0- SkaDate Lite 2.0 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact via the (1) label parameter to admin/users/roles/, (2) lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0] in an AddAccountType action or (3) qst_name parameter in an addQuestion action to admin/questions/ajax-responder/, or (4) form_name or (5) restrictedUsername parameter to admin/restricted-usernames.
by LiquidWorm
EIP-2026-106017 EXPLOITDB text VERIFIED
CMSimple 4.4.4 - Remote File Inclusion
by Govind Singh
EIP-2026-106016 EXPLOITDB text VERIFIED
CMSimple 4.4.4 - 'color' Remote Code Execution
by Govind Singh
EIP-2026-106013 EXPLOITDB text VERIFIED
CMSimple - Default Administrator Credentials
by Govind Singh
CVE-2014-2225 EXPLOITDB HIGH text
Ubiquiti Networks UniFi Controller <3.2.1 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.
by Seth Art
CVSS 8.8
CVE-2014-4710 EXPLOITDB text
ZeroCMS 1.0 - Stored Cross-Site Scripting via Full Name Field
Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.
by Mayuresh Dani
CVE-2014-3544 EXPLOITDB text
Moodle < 2.3.11, 2.4.x < 2.4.11, 2.5.x < 2.5.7, 2.6.x < 2.6.4, 2.7.x < 2.7.1 - Stored XSS via Skype ID
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
by Osanda Malith Jayathissa
CVE-2014-5115 EXPLOITDB text VERIFIED
DirPHP 1.0 - Path Traversal via phpfile Parameter
Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php.
by black hat
EIP-2026-101074 EXPLOITDB text
Sagem Fast 3304-V1 - Denial of Service
by Z3ro0ne
CVE-2014-3738 EXPLOITDB text
Zenoss 4.2.5 - Stored Cross-Site Scripting via Device Title
Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the title of a device.
by Dolev Farhi
CVE-2014-9098 EXPLOITDB text
Apptha WordPress Video Gallery <2014-07-23 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to (1) videoads/videoads.php, (2) video/video.php, or (3) playlist/playlist.php.
by Claudio Viviani
EIP-2026-101831 EXPLOITDB text
Lian Li NAS - Multiple Vulnerabilities
by pws
EIP-2026-104185 EXPLOITDB text
Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass / Persistent
by Vulnerability-Lab
EIP-2026-101861 EXPLOITDB text
Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure
by Dolev Farhi
CVE-2014-3081 EXPLOITDB text VERIFIED
IBM Global Console Manager <1.20.0.22575 Authenticated Arbitrary File Read via prodtest.php
prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter.
by Alejandro Alvarez Bravo
CVE-2014-3080 EXPLOITDB text VERIFIED
IBM Global Console Manager <1.20.0.22575 XSS via KVM CGI or AVCT Alert Key
Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the key parameter to avctalert.php.
by Alejandro Alvarez Bravo
EIP-2026-116577 EXPLOITDB text
World Of Warcraft 3.3.5a - 'macros-cache.txt' Stack Overflow
by Alireza Chegini
CVE-2014-3085 EXPLOITDB text VERIFIED
IBM Global Console Manager 16 and 32 Firmware < 1.20.0.22575 - Authenticated OS Command Injection via lpres Parameter
systest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the lpres parameter.
by Alejandro Alvarez Bravo
CVE-2014-0226 EXPLOITDB text
Apache HTTP Server 2.2.0-2.2.28 - Denial of Service via mod_status Scoreboard Handling
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
by Marek Kroemeke
EIP-2026-114207 EXPLOITDB text VERIFIED
WordPress Plugin WP BackupPlus - Database and Files Backup Download
by pSyCh0_3D
CVE-2014-4971 EXPLOITDB text
Microsoft Windows XP SP3 - Privilege Escalation
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.
by KoreLogic