Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2014-0007 EXPLOITDB text VERIFIED
Foreman <1.4.5, <1.5.1 - Command Injection
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
by Lukas Zapletal
CVE-2014-3878 EXPLOITDB text
Ipswitch IMail Server 12.3-12.4 - Cross-Site Scripting via Web Client Interface
Multiple cross-site scripting (XSS) vulnerabilities in the web client interface in Ipswitch IMail Server 12.3 and 12.4, possibly before 12.4.1.15, allow remote attackers to inject arbitrary web script or HTML via (1) the Name field in an add new contact action in the Contacts section or unspecified vectors in (2) an Add Group task in the Contacts section, (3) an add new event action in the Calendar section, or (4) the Task section.
by Peru
EIP-2026-110997 EXPLOITDB text VERIFIED
PHPBTTracker+ 2.2 - SQL Injection
by BackBox Linux Team
EIP-2026-102301 EXPLOITDB text
TigerCom My Assistant 1.1 iOS - Local File Inclusion
by Vulnerability-Lab
EIP-2026-102288 EXPLOITDB text
Privacy Pro 1.2 HZ iOS - Local File Inclusion
by Vulnerability-Lab
EIP-2026-102262 EXPLOITDB text
NG WifiTransfer Pro 1.1 - Local File Inclusion
by Vulnerability-Lab
EIP-2026-102235 EXPLOITDB text
Files Desk Pro 1.4 iOS - Local File Inclusion
by Vulnerability-Lab
EIP-2026-102218 EXPLOITDB text
Bluetooth Photo-File Share 2.1 iOS - Multiple Vulnerabilities
by Vulnerability-Lab
EIP-2026-102216 EXPLOITDB text
AllReader 1.0 iOS - Multiple Vulnerabilities
by Vulnerability-Lab
CVE-2014-3961 EXPLOITDB text
WordPress Participants Database <1.5.4.9 - SQL Injection
SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an "output CSV" action to pdb-signup/.
by Yarubo Research Team
CVE-2014-2946 EXPLOITDB text VERIFIED
Huawei WebUI 11.010.06.01.858 - Cross-Site Request Forgery via SMS API
Cross-site request forgery (CSRF) vulnerability in api/sms/send-sms in the Web UI 11.010.06.01.858 on Huawei E303 modems with software 22.157.18.00.858 allows remote attackers to hijack the authentication of administrators for requests that perform API operations and send SMS messages via a request element in an XML document.
by Benjamin Daniel Mussler
CVE-2014-3975 EXPLOITDB text VERIFIED
AuraCMS 3.0 - Path Traversal via filemanager.php viewdir Parameter
Absolute path traversal vulnerability in filemanager.php in AuraCMS 3.0 allows remote attackers to list a directory via a full pathname in the viewdir parameter.
by Mustafa ALTINKAYNAK
CVE-2014-4938 EXPLOITDB text VERIFIED
WP Rss Poster <1.0.0 - SQL Injection
SQL injection vulnerability in the WP Rss Poster (wp-rss-poster) plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in the wrp-add-new page to wp-admin/admin.php.
by Anant Shrivastava
CVE-2014-4940 EXPLOITDB text VERIFIED
Tera Charts 0.1 - Path Traversal via fn Parameter
Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.
by Anant Shrivastava
CVE-2014-4940 EXPLOITDB text VERIFIED
Tera Charts 0.1 - Path Traversal via fn Parameter
Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.
by Anant Shrivastava
CVE-2014-5180 EXPLOITDB text VERIFIED
HDW Player Plugin 2.4.2 - Authenticated SQL Injection via id Parameter
SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.
by Anant Shrivastava
CVE-2014-4939 EXPLOITDB text VERIFIED
ENL Newsletter <1.0.1 - SQL Injection
SQL injection vulnerability in the ENL Newsletter (enl-newsletter) plugin 1.0.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the enl-add-new page to wp-admin/admin.php.
by Anant Shrivastava
CVE-2014-4937 EXPLOITDB text VERIFIED
BookX 1.7 - Path Traversal via File Parameter
Directory traversal vulnerability in includes/bookx_export.php BookX plugin 1.7 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
by Anant Shrivastava
CVE-2014-2303 EXPLOITDB text VERIFIED
webEdition CMS <6.3.8-s1 - SQL Injection
Multiple SQL injection vulnerabilities in the file browser component (we_fs.php) in webEdition CMS before 6.2.7-s1.2 and 6.3.x through 6.3.8 before -s1 allow remote attackers to execute arbitrary SQL commands via the (1) table or (2) order parameter.
by RedTeam Pentesting GmbH
CVE-2014-3415 EXPLOITDB text
Sharetronix < 3.3 - Authenticated SQL Injection via invite_users[] Parameter
SQL injection vulnerability in Sharetronix before 3.4 allows remote authenticated users to execute arbitrary SQL commands via the invite_users[] parameter to the /invite page for a group.
by High-Tech Bridge SA
CVE-2014-3974 EXPLOITDB text VERIFIED
auracms < 3.0 - Cross-Site Scripting via filemanager.php viewdir Parameter
Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the viewdir parameter.
by Mustafa ALTINKAYNAK
CVE-2014-3004 EXPLOITDB text VERIFIED
Castor < 1.3.3 - XML External Entity Injection via Default Xerces SAX Parser Configuration
The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.
by Ron Gutierrez
CVE-2014-3962 EXPLOITDB text VERIFIED
Videos Tube 1.0 - SQL Injection via URL Parameter
Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow remote attackers to execute arbitrary SQL commands via the url parameter to (1) videocat.php or (2) single.php.
by Mustafa ALTINKAYNAK
CVE-2014-4162 EXPLOITDB text
Zyxel P-660HW-T1 v3 - Cross-Site Request Forgery via WLAN_General_1 Form
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.
by Mustafa ALTINKAYNAK
EIP-2026-101655 EXPLOITDB text VERIFIED
D-Link Routers - Multiple Vulnerabilities
by Kyle Lovett