Text Exploits
31,394 exploits tracked across all sources.
WhyDoWork AdSense 1.2 - Cross-Site Request Forgery via wp-admin/options-general.php
Cross-site request forgery (CSRF) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the whydowork_adsense page in wp-admin/options-general.php.
by Dylan Irzi
Lead Octopus - SQL Injection via id Parameter
SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Amirh03in
FB Gorilla - SQL Injection via game_play.php id Parameter
SQL injection vulnerability in game_play.php in the FB Gorilla plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Amirh03in
Sphider 1.3.6 - Authenticated PHP Code Injection via _word_upper_bound Parameter
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
by Mike Manzotti
Oxwall 1.7.0- SkaDate Lite 2.0 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact via the (1) label parameter to admin/users/roles/, (2) lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0] in an AddAccountType action or (3) qst_name parameter in an addQuestion action to admin/questions/ajax-responder/, or (4) form_name or (5) restrictedUsername parameter to admin/restricted-usernames.
by LiquidWorm
CMSimple 4.4.4 - 'color' Remote Code Execution
by Govind Singh
CMSimple - Default Administrator Credentials
by Govind Singh
Ubiquiti Networks UniFi Controller <3.2.1 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.
by Seth Art
CVSS 8.8
ZeroCMS 1.0 - Stored Cross-Site Scripting via Full Name Field
Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.
by Mayuresh Dani
Moodle < 2.3.11, 2.4.x < 2.4.11, 2.5.x < 2.5.7, 2.6.x < 2.6.4, 2.7.x < 2.7.1 - Stored XSS via Skype ID
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
by Osanda Malith Jayathissa
DirPHP 1.0 - Path Traversal via phpfile Parameter
Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php.
by black hat
Zenoss 4.2.5 - Stored Cross-Site Scripting via Device Title
Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the title of a device.
by Dolev Farhi
Apptha WordPress Video Gallery <2014-07-23 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to (1) videoads/videoads.php, (2) video/video.php, or (3) playlist/playlist.php.
by Claudio Viviani
Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass / Persistent
by Vulnerability-Lab
Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure
by Dolev Farhi
IBM Global Console Manager <1.20.0.22575 Authenticated Arbitrary File Read via prodtest.php
prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter.
by Alejandro Alvarez Bravo
IBM Global Console Manager <1.20.0.22575 XSS via KVM CGI or AVCT Alert Key
Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the key parameter to avctalert.php.
by Alejandro Alvarez Bravo
World Of Warcraft 3.3.5a - 'macros-cache.txt' Stack Overflow
by Alireza Chegini
IBM Global Console Manager 16 and 32 Firmware < 1.20.0.22575 - Authenticated OS Command Injection via lpres Parameter
systest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the lpres parameter.
by Alejandro Alvarez Bravo
Apache HTTP Server 2.2.0-2.2.28 - Denial of Service via mod_status Scoreboard Handling
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
by Marek Kroemeke
WordPress Plugin WP BackupPlus - Database and Files Backup Download
by pSyCh0_3D
Microsoft Windows XP SP3 - Privilege Escalation
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.
by KoreLogic
By Source