Text Exploits
31,386 exploits tracked across all sources.
Apache Struts <2.3.1.1 - Code Injection
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
by SEC Consult
Apache Struts < 2.3.1.1 - Remote Code Execution via CookieInterceptor
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
by SEC Consult
Apache Struts < 2.2.3.1 - Remote Code Execution via ExceptionDelegator OGNL Expression Injection
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
by SEC Consult
CVSS 9.8
IpTools 0.1.4 - Unauthenticated Path Traversal via HTTP Request
Directory traversal vulnerability in the WebServer (Thttpd.bat) in IpTools (aka Tiny TCP/IP server) 0.1.4 allows remote attackers to read arbitrary files via a .. (dot dot) in a HTTP request.
by demonalex
Pay With Tweet <1.2 - SQL Injection
SQL injection vulnerability in the Pay With Tweet plugin before 1.2 for WordPress allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the id parameter in a paywithtweet shortcode.
by Gianluca Brindisi
TinyWebGallery 1.8.3 - Remote Code Execution via Command Parameter
TinyWebGallery 1.8.3 allows remote attackers to execute arbitrary code via shell metacharacters in the command parameter to (1) inc/filefunctions.inc or (2) info.php.
by Expl0!Ts
SenseSites CommonSense CMS - SQL Injection
Multiple SQL injection vulnerabilities in SenseSites CommonSense CMS allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) special.php, (2) article.php, or (3) cat2.php.
by H4ckCity Security Team
SenseSites CommonSense CMS - SQL Injection
Multiple SQL injection vulnerabilities in SenseSites CommonSense CMS allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) special.php, (2) article.php, or (3) cat2.php.
by H4ckCity Security Team
SenseSites CommonSense CMS - SQL Injection
Multiple SQL injection vulnerabilities in SenseSites CommonSense CMS allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) special.php, (2) article.php, or (3) cat2.php.
by H4ckCity Security Team
eFront 3.6.10 - 'download' Directory Traversal
by Chokri B.A
Novell NetWare 6.5 SP8 - Buffer Overflow
Stack-based buffer overflow in the xdrDecodeString function in XNFS.NLM in Novell NetWare 6.5 SP8 allows remote attackers to execute arbitrary code or cause a denial of service (abend or NFS outage) via long packets.
by Francis Provencher
Novell NetWare 6.5 SP8 - Buffer Overflow
Stack-based buffer overflow in the xdrDecodeString function in XNFS.NLM in Novell NetWare 6.5 SP8 allows remote attackers to execute arbitrary code or cause a denial of service (abend or NFS outage) via long packets.
by Francis Provencher
Apache Struts 2.0.0-2.3.16 - Remote Code Execution via DebuggingInterceptor
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
by SEC Consult
HServer 0.1.1 - Path Traversal via Encoded Dot-Dot-Backslash Sequences
Directory traversal vulnerability in HServer 0.1.1 allows remote attackers to read arbitrary files via a (1) ..%5c (dot dot encoded backslash) or (2) %2e%2e%5c (encoded dot dot backslash) in the PATH_INFO.
by demonalex
Yaws 1.88 - Cross-Site Scripting via Wiki Application Parameters
Multiple cross-site scripting (XSS) vulnerabilities in the wiki application in Yaws 1.88 allow remote attackers to inject arbitrary web script or HTML via (1) the tag parameter to editTag.yaws, (2) the index parameter to showOldPage.yaws, (3) the node parameter to allRefsToMe.yaws, or (4) the text parameter to editPage.yaws.
by SiteWatch
VertrigoServ 2.25 - Cross-Site Scripting via ext Parameter
Cross-site scripting (XSS) vulnerability in inc/extensions.php in VertrigoServ 2.25 allows remote attackers to inject arbitrary web script or HTML via the ext parameter.
by Stefan Schurtz
SQLiteManager 1.2.4 - Cross-Site Scripting via dbsel or nsextt Parameter
Multiple cross-site scripting (XSS) vulnerabilities in SQLiteManager 1.2.4 allow remote attackers to inject arbitrary web script or HTML via the dbsel parameter to (1) main.php or (2) index.php; or (3) nsextt parameter to index.php.
by Stefan Schurtz
SQLiteManager 1.2.4 - Cross-Site Scripting via dbsel or nsextt Parameter
Multiple cross-site scripting (XSS) vulnerabilities in SQLiteManager 1.2.4 allow remote attackers to inject arbitrary web script or HTML via the dbsel parameter to (1) main.php or (2) index.php; or (3) nsextt parameter to index.php.
by Stefan Schurtz
Apache Portable Runtime < 1.4.5 - Denial of Service via Hash Collision
tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
by Moritz Muehlenhoff
UBB.threads <= 7.5.6 - Cross-Site Scripting via Loginname Parameter
Cross-site scripting (XSS) vulnerability in forums/ubbthreads.php in UBB.threads 7.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the Loginname parameter.
by sonyy
TYPO3 4.5.x-4.5.9 4.6.x-4.6.2 4.7 - Remote Code Execution via BACK_PATH Parameter
PHP remote file inclusion vulnerability in Classes/Controller/AbstractController.php in the workspaces system extension in TYPO3 4.5.x before 4.5.9, 4.6.x before 4.6.2, and development versions of 4.7 allows remote attackers to execute arbitrary PHP code via a URL in the BACK_PATH parameter.
by MaXe
Textpattern CMS 4.4.1 - Cross-Site Scripting via ddb Parameter
Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.
by Jonathan Claudius
Otterware StatIt 4 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in statistik.php in Otterware StatIt 4 allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter, (2) show parameter in a stat_tld action, or (3) order parameter in a stat_abfragen action.
by sonyy
Posse Softball Director CMS - SQL Injection
by H4ckCity Security Team
Posse Softball Director CMS - SQL Injection
SQL injection vulnerability in team.php in Posse Softball Director CMS allows remote attackers to execute arbitrary SQL commands via the idteam parameter.
by Easy Laster
By Source