Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-112590 EXPLOITDB text
Telmanik CMS Press 1.01b - 'pages.php?page_name' SQL Injection
by Anarchy Angel
CVE-2013-4898 EXPLOITDB text
Timeline Plugin 4.2.5p9 for SocialEngine - Arbitrary File Upload & RCE via User Profile
Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in public/temporary/timeline/.
by spyk2r
CVE-2013-5318 EXPLOITDB text VERIFIED
Ginkgo CMS 5.0 - SQL Injection
SQL injection vulnerability in Ginkgo CMS 5.0 allows remote attackers to execute arbitrary SQL commands via the rang parameter to index.php.
by Raw-x
EIP-2026-107310 EXPLOITDB text
FunGamez - Arbitrary File Upload
by cr4wl3r
CVE-2013-4789 EXPLOITDB text VERIFIED
Cotonti Siena < 0.9.14 - SQL Injection via RSS Module c Parameter
SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php.
by High-Tech Bridge SA
CVE-2013-5006 EXPLOITDB text
Western Digital My Net - Info Disclosure
main_internet.php on the Western Digital My Net N600 and N750 with firmware 1.03.12 and 1.04.16, and the N900 and N900C with firmware 1.05.12, 1.06.18, and 1.06.28, allows remote attackers to discover the cleartext administrative password by reading the "var pass=" line within the HTML source code.
by Kyle Lovett
CVE-2013-2581 EXPLOITDB text VERIFIED
TP-Link IP Cameras <LM.1.6.18P12_sign6 - RCE
cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to modify the firmware revision via a "preset" action.
by Core Security
CVE-2013-4865 EXPLOITDB MEDIUM text VERIFIED
MiCasaVerde VeraLite <1.5.408 - CSRF
Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter.
by Trustwave's SpiderLabs
CVSS 6.5
CVE-2013-4859 EXPLOITDB HIGH text VERIFIED
INSTEON Hub 2242-222 - No Auth Required
INSTEON Hub 2242-222 lacks Web and API authentication
by Trustwave's SpiderLabs
CVSS 8.1
CVE-2013-7389 EXPLOITDB text
D-Link DIR-645 < 1.04B11 - Cross-Site Scripting via Parental Controls Bind Parameter
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php.
by Roberto Paleari
CVE-2013-4868 EXPLOITDB MEDIUM text VERIFIED
Karotz API <12.07.19.00 - Info Disclosure
Karotz API 12.07.19.00: Session Token Information Disclosure
by Trustwave's SpiderLabs
CVSS 5.3
CVE-2013-2653 EXPLOITDB text VERIFIED
SilverStripe 3.0.3 - Phishing Attack via GET Request Login
security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim.
by Fara Rustein
CVE-2013-4200 EXPLOITDB text VERIFIED
Plone 2.1-4.1, 4.2-4.2.5, 4.3-4.3.1 - Open Redirect via Space-Prefixed URL in 'next' Parameter
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login.
by Cyrill Bannwart
CVE-2013-4624 EXPLOITDB text VERIFIED
Jahia xCM 6.6.1.0 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Jahia xCM 6.6.1.0 before hotfix 7 allow remote attackers to inject arbitrary web script or HTML via (1) the site parameter to engines/manager.jsp, (2) the searchString parameter to administration/ in a search action, or the (3) username, (4) firstName, (5) lastName, (6) email, or (7) organization field to administration/ in a users action.
by High-Tech Bridge
CVE-2013-4624 EXPLOITDB text VERIFIED
Jahia xCM 6.6.1.0 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Jahia xCM 6.6.1.0 before hotfix 7 allow remote attackers to inject arbitrary web script or HTML via (1) the site parameter to engines/manager.jsp, (2) the searchString parameter to administration/ in a search action, or the (3) username, (4) firstName, (5) lastName, (6) email, or (7) organization field to administration/ in a users action.
by High-Tech Bridge
EIP-2026-107160 EXPLOITDB text
FluxBB 1.5.3 - Multiple Vulnerabilities
by LiquidWorm
EIP-2026-102307 EXPLOITDB text
WebDisk 3.0.2 PhotoViewer iOS - Command Execution
by Vulnerability-Lab
EIP-2026-102291 EXPLOITDB text
Private Photos 1.0 iOS - Persistent Cross-Site Scripting
by Vulnerability-Lab
EIP-2026-113442 EXPLOITDB text
Windu CMS 2.2 - Multiple Vulnerabilities
by LiquidWorm
CVE-2013-1616 EXPLOITDB text VERIFIED
Symantec Web Gateway < 5.1.1 - OS Command Injection via Management Console
The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote attackers to execute arbitrary commands by injecting a command into an application script.
by SEC Consult
EIP-2026-106690 EXPLOITDB text
Easy Blog by JM LLC - Multiple Vulnerabilities
by Sp3ctrecore
EIP-2026-105402 EXPLOITDB text
Basic Forum by JM LLC - Multiple Vulnerabilities
by Sp3ctrecore
EIP-2026-105092 EXPLOITDB text VERIFIED
Alienvault Open Source SIEM (OSSIM) - Multiple Cross-Site Scripting Vulnerabilities
by xistence
CVE-2013-4625 EXPLOITDB text VERIFIED
Duplicator < 0.4.5 - Cross-Site Scripting via Package Parameter
Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
by High-Tech Bridge
EIP-2026-112997 EXPLOITDB text VERIFIED
vBulletin 4.0.2 - 'update_order' SQL Injection
by n3tw0rk