Exploitdb Exploits
31,394 exploits tracked across all sources.
Spider Video Player 2.1 - SQL Injection via Theme Parameter
SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter.
by Ashiyane Digital Security Team
Request Tracker < 4.0.9 - SQL Injection via ShowPending Parameter
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
by cheki
Spiffy XSPF Player plugin 0.1 - SQL Injection via playlist_id Parameter
SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter.
by Ashiyane Digital Security Team
Hero Framework - '/users/forgot_password?error' Cross-Site Scripting
by High-Tech Bridge
Hero Framework - '/users/forgot_password?error' Cross-Site Scripting
by High-Tech Bridge
ZAPms < 1.41 - SQL Injection via Product PID Parameter
SQL injection vulnerability in ZAPms 1.41 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter to product.
by NoGe
Trafficanalyzer - XSS
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.
by Beni_Vanda
phpMyAdmin < 3.5.8 - Cross-Site Scripting via visualizationSettings Parameters
Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable.
by waraxe
CVSS 6.1
EasyPHP - '/index.php' Authentication Bypass / Remote PHP Code Injection
by KedAns-Dz
Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities
by shekyan
Groovy Media Player 3.2.0 - Remote Code Execution via Long String in .m3u File
Buffer overflow in Groovy Media Player 3.2.0 allows remote attackers to execute arbitrary code via a long string in a .m3u file.
by Akshaysinh Vaghela
WHMCS Group Pay < 1.5 - SQL Injection via Hash Parameter
SQL injection vulnerability in the gp_LoadUserFromHash function in functions_hash.php in the Group Pay module 1.5 and earlier for WHMCS allows remote attackers to execute arbitrary SQL commands via the hash parameter.
by HJauditing Employee Tim
Vanilla Forums < 2.0.18.8 - SQL Injection via Form/Email Parameter
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
by bl4ckw0rm
OpenCart - Cross-Site Request Forgery (Change User Password)
by Saadi Siddiqui
OTRS FAQ < 2.0.8 and OTRS ITSM < 3.0.7 - Cross-Site Scripting via Changes, Workorder Items, and FAQ Articles
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.
by Luigi Vezzoso
CVSS 6.1
Google AD Sync Tool - Exposure of Sensitive Information
by Sense of Security
Sophos Web Appliance <3.7.8.2 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.
by SEC Consult
MongoDB < 2.0.9 and 2.2.x < 2.2.4 - Authenticated Remote Code Execution via nativeHelper Function
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
by agix
TP-Link TD-8817 6.0.1 Build 111128 Rel.26763 - Cross-Site Request Forgery
by Un0wn_X
Belkin Wemo Switch <WeMo_US_2.00.2176.PVT - Code Injection
Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system.
by Daniel Buentello
CVSS 9.8
Zimbra 2013 - Cross-Site Scripting in aspell.php
Zimbra 2013 has XSS in aspell.php
by Michael Scherer
CVSS 6.1
PHP Address Book 8.2.5 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
by Jurgen Voorneveld
PHP Address Book 8.2.5 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
by Jurgen Voorneveld
By Source