Text Exploits
31,339 exploits tracked across all sources.
IBM Websphere MQ - Access Control
The Web Gateway component in IBM WebSphere MQ File Transfer Edition 7.0.4 and earlier allows remote authenticated users to read files of arbitrary users via vectors involving a username in a URI, as demonstrated by a modified metadata=fteSamplesUser field to the /transfer URI.
by Nir Valtman
IBM Websphere MQ < 7.0.4 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in the Web Gateway component in IBM WebSphere MQ File Transfer Edition 7.0.4 and earlier, and WebSphere MQ - Managed File Transfer 7.5, allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add user accounts via the /wmqfteconsole/Filespaces URI, (2) modify permissions via the /wmqfteconsole/FileSpacePermisssions URI, or (3) add MQ Message Descriptor (MQMD) user accounts via the /wmqfteconsole/UploadUsers URI.
by Nir Valtman
WordPress Plugin RSVPMaker 2.5.4 - Persistent Cross-Site Scripting
by Chris Kellum
Totalshopuk Ecommerce < 2.1.2 - XSS
Cross-site scripting (XSS) vulnerability in the refresh_page function in application/modules/_main/views/_top.php in Total Shop UK eCommerce Open Source before 2.1.2_p1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
by Chris Cooper
Hotel Booking Portal 0.1 - Multiple Vulnerabilities
by Yakir Wizman
Oracle Solaris - Info Disclosure
Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.
by Larry Cashdollar
MindTouch DekiWiki - Multiple Local/Remote File Inclusions
by L0n3ly-H34rT
Flynax General Classifieds CMS 4.0 - Multiple Vulnerabilities
by Vulnerability-Lab
FileContral - Local File Inclusion / Local File Disclosure
by Ashiyane Digital Security Team
MobileCartly 1.0 - File Creation
MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the savepage.php script. The application fails to perform authentication or authorization checks before invoking file_put_contents() on attacker-controlled input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP GET requests to savepage.php, specifying both the filename and content. This allows arbitrary file creation within the pages/ directory or any writable path on the server, allowing remote code execution.
by Yakir Wizman
GalaxyScripts Mini File Host and DaddyScripts Daddy's File Host - Local File Inclusion
by L0n3ly-H34rT
Hotel Booking Portal 0.1 - Multiple SQL Injections / Cross-Site Scripting
by Yakir Wizman
Phplist < 2.10.18 - XSS
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.
by High-Tech Bridge SA
Phplist < 2.10.18 - SQL Injection
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.
by High-Tech Bridge SA
Pbboard - Access Control
The new_password page in PBBoard 2.1.4 allows remote attackers to change the password of arbitrary user accounts via the member_id and new_password parameters to index.php.
by High-Tech Bridge
Pbboard - SQL Injection
Multiple SQL injection vulnerabilities in PBBoard 2.1.4 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to the send page, (2) email parameter to the forget page, (3) password parameter to the forum_archive page, (4) section parameter to the management page, (5) section_id parameter to the managementreply page, (6) member_id parameter to the new_password page, or (7) subjectid parameter to the tags page to index.php.
by High-Tech Bridge
Pbboard - Unrestricted File Upload
Unrestricted file upload vulnerability in admin.php in PBBoard 2.1.4 allows remote administrators to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the addons directory. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2012-1216.
by High-Tech Bridge
Openconstructor - SQL Injection
Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.
by Lorenzo Cantoni
Inout Mobile Webmail APP - Persistent Cross-Site Scripting
by Vulnerability-Lab
By Source