Exploitdb Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2013-3532 EXPLOITDB text VERIFIED
Spider Video Player 2.1 - SQL Injection via Theme Parameter
SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter.
by Ashiyane Digital Security Team
CVE-2013-3525 EXPLOITDB text VERIFIED
Request Tracker < 4.0.9 - SQL Injection via ShowPending Parameter
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
by cheki
CVE-2013-3530 EXPLOITDB text VERIFIED
Spiffy XSPF Player plugin 0.1 - SQL Injection via playlist_id Parameter
SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter.
by Ashiyane Digital Security Team
CVE-2013-2649 EXPLOITDB text VERIFIED
Hero Framework - '/users/forgot_password?error' Cross-Site Scripting
by High-Tech Bridge
CVE-2013-2649 EXPLOITDB text VERIFIED
Hero Framework - '/users/forgot_password?error' Cross-Site Scripting
by High-Tech Bridge
CVE-2013-3050 EXPLOITDB text VERIFIED
ZAPms < 1.41 - SQL Injection via Product PID Parameter
SQL injection vulnerability in ZAPms 1.41 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter to product.
by NoGe
CVE-2013-3526 EXPLOITDB text VERIFIED
Trafficanalyzer - XSS
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.
by Beni_Vanda
CVE-2013-1937 EXPLOITDB MEDIUM text VERIFIED
phpMyAdmin < 3.5.8 - Cross-Site Scripting via visualizationSettings Parameters
Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable.
by waraxe
CVSS 6.1
EIP-2026-106729 EXPLOITDB text VERIFIED
EasyPHP - '/index.php' Authentication Bypass / Remote PHP Code Injection
by KedAns-Dz
EIP-2026-101283 EXPLOITDB text VERIFIED
Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities
by shekyan
CVE-2013-2760 EXPLOITDB text VERIFIED
Groovy Media Player 3.2.0 - Remote Code Execution via Long String in .m3u File
Buffer overflow in Groovy Media Player 3.2.0 allows remote attackers to execute arbitrary code via a long string in a .m3u file.
by Akshaysinh Vaghela
CVE-2013-3536 EXPLOITDB text
WHMCS Group Pay < 1.5 - SQL Injection via Hash Parameter
SQL injection vulnerability in the gp_LoadUserFromHash function in functions_hash.php in the Group Pay module 1.5 and earlier for WHMCS allows remote attackers to execute arbitrary SQL commands via the hash parameter.
by HJauditing Employee Tim
CVE-2013-3527 EXPLOITDB text
Vanilla Forums < 2.0.18.8 - SQL Injection via Form/Email Parameter
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
by bl4ckw0rm
EIP-2026-110261 EXPLOITDB text VERIFIED
OpenCart - Cross-Site Request Forgery (Change User Password)
by Saadi Siddiqui
CVE-2013-2637 EXPLOITDB MEDIUM text VERIFIED
OTRS FAQ < 2.0.8 and OTRS ITSM < 3.0.7 - Cross-Site Scripting via Changes, Workorder Items, and FAQ Articles
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.
by Luigi Vezzoso
CVSS 6.1
EIP-2026-103776 EXPLOITDB text
Google AD Sync Tool - Exposure of Sensitive Information
by Sense of Security
CVE-2013-2643 EXPLOITDB text
Sophos Web Appliance <3.7.8.2 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.
by SEC Consult
CVE-2013-1892 EXPLOITDB text VERIFIED
MongoDB < 2.0.9 and 2.2.x < 2.2.4 - Authenticated Remote Code Execution via nativeHelper Function
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
by agix
EIP-2026-102953 EXPLOITDB text
PonyOS 0.4.99-mlp - Multiple Vulnerabilities
by John Cartwright
EIP-2026-102060 EXPLOITDB text
TP-Link TD-8817 6.0.1 Build 111128 Rel.26763 - Cross-Site Request Forgery
by Un0wn_X
EIP-2026-101613 EXPLOITDB text
D-Link - Multiple Vulnerabilities
by m-1-k-3
CVE-2013-2748 EXPLOITDB CRITICAL text
Belkin Wemo Switch <WeMo_US_2.00.2176.PVT - Code Injection
Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system.
by Daniel Buentello
CVSS 9.8
CVE-2013-1938 EXPLOITDB MEDIUM text VERIFIED
Zimbra 2013 - Cross-Site Scripting in aspell.php
Zimbra 2013 has XSS in aspell.php
by Michael Scherer
CVSS 6.1
CVE-2013-0135 EXPLOITDB text VERIFIED
PHP Address Book 8.2.5 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
by Jurgen Voorneveld
CVE-2013-0135 EXPLOITDB text VERIFIED
PHP Address Book 8.2.5 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
by Jurgen Voorneveld