Exploitdb Exploits
31,394 exploits tracked across all sources.
Etano < 1.22 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Etano 1.22 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user, (2) email, (3) email2, (4) f17_zip, or (5) agree parameter to join.php; (6) PATH_INFO, (7) st, (8) f17_city, (9) f17_country, (10) f17_state, (11) f17_zip, (12) f19, (13) wphoto, (14) search, or (15) v parameter to search.php; (16) PATH_INFO or (17) st parameter to photo_search.php; or (18) return parameter to photo_view.php.
by Aung Khant
11in1 CMS 1.2.1 - 'admin/tps?id' SQL Injection
by Chokri B.A
11in1 CMS 1.2.1 - 'admin/comments?topicID' SQL Injection
by Chokri B.A
LastGuru ASP Guestbook - 'View.asp' SQL Injection
by demonalex
Witze addon 0.9 - SQL Injection via id Parameter
SQL injection vulnerability in jokes/index.php in the Witze addon 0.9 for deV!L'z Clanportal allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.
by Easy Laster
AneCMS - Path Traversal and Arbitrary File Execution via ACP p Parameter
Directory traversal vulnerability in acp/index.php in AneCMS allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter.
by I2sec-Jong Hwan Park
RivetTracker <1.03 - Info Disclosure
torrent_functions.php in RivetTracker 1.03 and earlier does not properly restrict access, which allows remote attackers to have an unspecified impact.
by Ali Raheem
FlashFXP 4.2 - Authenticated Remote Code Execution via Long Unicode String to TListbox or TComboBox
Multiple buffer overflows in FlashFXP.exe in FlashFXP 4.2 allow remote authenticated users to execute arbitrary code via a long unicode string to (1) TListbox or (2) TComboBox.
by Vulnerability-Lab
Timesheet Next Gen 1.5.2 - SQL Injection via Username or Password Parameter
Multiple SQL injection vulnerabilities in login.php in Timesheet Next Gen 1.5.2 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters.
by G13
Endian UTM Firewall 2.4.x < 2.5.0 - Multiple Web Vulnerabilities
by Vulnerability-Lab
rivettracker < 1.03 - SQL Injection via Hash Parameter
Multiple SQL injection vulnerabilities in RivetTracker 1.03 and earlier allow remote attackers to execute arbitrary SQL commands via the hash parameter to (1) dltorrent.php or (2) torrent_functions.php.
by Ali Raheem
starCMS - Cross-Site Scripting via q Parameter
Cross-site scripting (XSS) vulnerability in index.php in starCMS allows remote attackers to inject arbitrary web script or HTML via the q parameter.
by Am!r
phxEventManager 2.0 beta 5 - SQL Injection
SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
by skysbsb
CVSS 9.8
Drupal < 7.12 - Cross-Site Request Forgery via User Logout URI
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.
by Ivano Binetti
Novell GroupWise 8.0x-8.02HP3 - Remote Code Execution via Long Email Address in Address Book File
The client in Novell GroupWise 8.0x through 8.02HP3 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) via a long e-mail address in an Address Book (aka .NAB) file.
by Francis Provencher
Img Pals Photo Host 1.0 - SQL Injection
Multiple SQL injection vulnerabilities in approve.php in Img Pals Photo Host 1.0 allow remote attackers to execute arbitrary SQL commands via the u parameter in a (1) app0 or (2) app1 action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by CorryL
NetMechanica NetDecision < 4.5.1 - Unauthenticated Source Code Exposure via Invalid Version Number
The Traffic Grapher Server for NetMechanica NetDecision before 4.6.1 allows remote attackers to obtain the source code of NtDecision script files with a .nd extension via an invalid version number in an HTTP request, as demonstrated using default.nd. NOTE: some of these details are obtained from third party information.
by SecPod Research
Img Pals Photo Host 1.0 - Unauthenticated Administrator Activation Change via approve.php u Parameter
approve.php in Img Pals Photo Host 1.0 does not authenticate requests, which allows remote attackers to change the activation of administrators via the u parameter in an (1) app0 (disable) or (2) app1 (enable) action.
by CorryL
Dotclear < 2.4.2 - Cross-Site Scripting via Multiple Admin Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) login_data parameter to admin/auth.php; (2) nb parameter to admin/blogs.php; (3) type, (4) sortby, (5) order, or (6) status parameters to admin/comments.php; or (7) page parameter to admin/plugin.php.
by High-Tech Bridge SA
Dotclear < 2.4.2 - Cross-Site Scripting via Multiple Admin Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) login_data parameter to admin/auth.php; (2) nb parameter to admin/blogs.php; (3) type, (4) sortby, (5) order, or (6) status parameters to admin/comments.php; or (7) page parameter to admin/plugin.php.
by High-Tech Bridge SA
Dotclear < 2.4.2 - Cross-Site Scripting via Multiple Admin Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) login_data parameter to admin/auth.php; (2) nb parameter to admin/blogs.php; (3) type, (4) sortby, (5) order, or (6) status parameters to admin/comments.php; or (7) page parameter to admin/plugin.php.
by High-Tech Bridge SA
Yealink VOIP Phones - Authenticated Stored Cross-Site Scripting via User Field
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.
by Narendra Shinde
Nikola Posa Webfoliocms1.0.2 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Webfolio CMS 1.1.4 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via an add action to admin/users/add or (2) modify a web page via a save action to admin/pages/edit/web_page_name.
by Ivano Binetti
Fork CMS < 3.2.7 - Cross-Site Scripting via Type, Querystring, or Name Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Fork CMS before 3.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) type or (2) querystring parameters to private/en/error or (3) name parameter to private/en/locale/index.
by anonymous
By Source