Exploitdb Exploits
31,394 exploits tracked across all sources.
Technicolor TC7200 STD6.01.12 - Cross-Site Request Forgery via Multiple Endpoints
Multiple cross-site request forgery (CSRF) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to hijack the authentication of administrators for requests that (1) perform a factory reset via a request to goform/system/factory, (2) disable advanced options via a request to goform/advanced/options, (3) remove ip-filters via the IpFilterAddressDelete1 parameter to goform/advanced/ip-filters, or (4) remove firewall settings via the cbFirewall parameter to goform/advanced/firewall.
by Jeroen - IT Nerdbox
Nisuta NS-WIR150NE/NS-WIR300N - Auth Bypass
The management web interface on the Nisuta NS-WIR150NE router with firmware 5.07.41 and Nisuta NS-WIR300N router with firmware 5.07.36_NIS01 allows remote attackers to bypass authentication via a "Cookie: :language=en" HTTP header.
by Amplia Security Advisories
Apache Libcloud 0.12.3-0.13.2 - Exposure of Sensitive Information via DigitalOcean Destroy API
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
by anonymous
Advanced Dewplayer <1.2 - Path Traversal
Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
by Henri Salo
Naxtech CMS Afroditi 1.0 - SQL Injection
SQL injection vulnerability in Naxtech CMS Afroditi 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to default.asp.
by projectzero labs
D-Link DSL-2750u ME_1.09 - Cross-Site Request Forgery
by FIGHTERx war
JForum - Cross-Site Request Forgery in Admin Module
Cross-site request forgery (CSRF) vulnerability in admBase/login.page in the Admin module in JForum allows remote attackers to hijack the authentication of administrators for requests that change the user group permissions of arbitrary users via a groupsSave action.
by arno
AFCommerce - 'controlheader.php' Remote File Inclusion
by NoGe
AFCommerce - 'adminpassword.php' Remote File Inclusion
by NoGe
Huawei Mobile Partner 23.009.05.03.1014 - Untrusted Search Path and DLL Hijacking via wintab32.dll
Untrusted search path vulnerability in Huawei Mobile Partner for Windows 23.009.05.03.1014 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll in the Mobile Partner directory.
by LiquidWorm
xBoard 5.0/5.5/6.0 - 'view.php' Local File Inclusion
by TUNISIAN CYBER
Song Exporter 2.1.1 RS iOS - Local File Inclusion
by Vulnerability-Lab
Synology DiskStation Manager - Path Traversal via FileBrowser Components
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.
by Andrea Fabrizi
WordPress Theme Persuasion 2.x - Arbitrary File Download / File Deletion
by Interference Security
Cisco EPC3925 - Cross-Site Request Forgery via Quick Setup Password Change
Cross-site request forgery (CSRF) vulnerability in goform/Quick_setup on Cisco EPC3925 devices allows remote attackers to hijack the authentication of administrators for requests that change a password via the Password and PasswordReEnter parameters, aka Bug ID CSCuh37496.
by Jeroen - IT Nerdbox
Hancom Office 2010 SE - Buffer Overflow
Buffer overflow in Hancom Office 2010 SE allows remote attackers to execute arbitrary via a long string in the Text attribute in a TEXTART XML element in an HML file.
by diroverflow
Debian Linux - Authentication Bypass
denyhosts 2.6 uses an incorrect regular expression when analyzing authentication logs, which allows remote attackers to cause a denial of service (incorrect block of IP addresses) via crafted login names.
by Helmut Grohne
Jenkins Plugin for SonarQube <= 3.7 - Authenticated Cleartext Password Exposure via sonar.sonarPassword Parameter
The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.
by Christian Catalano
Leed Light Feed <1.5 - SQL Injection
SQL injection vulnerability in action.php in Leed (Light Feed), possibly before 1.5 Stable, allows remote attackers to execute arbitrary SQL commands via the id parameter in a removeFolder action.
by Alexandre Herzog
Jenkins 1.523 - Stored Cross-Site Scripting via User Description Field
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
by Christian Catalano
CRU Ditto Forensic FieldStation Firmware < 2013Oct15a - Cross-Site Request Forgery
Cross-site request forgery (CSRF) vulnerability in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to hijack the authentication of administrators for requests that modify the disk erase technique settings via unspecified vectors.
by Martin Wundram
CRU Ditto Forensic FieldStation Firmware < 2013Oct15a - Cross-Site Scripting via Username Parameter
Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenticated users to inject arbitrary web script or HTML via unspecified form fields.
by Martin Wundram
CRU Ditto Forensic FieldStation Firmware < 2013Oct15a - OS Command Injection via Sector Size or Skip Count Fields
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
by Martin Wundram
By Source