Exploitdb Exploits
31,394 exploits tracked across all sources.
VMware vCenter Update Manager - Directory Traversal and Arbitrary File Read
The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523.
by Alexey Sintsov
Lanoba Social Plugin 1.0 - Cross-Site Scripting via Action Parameter
Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf.
by Amir
Alert Before Your Post < 0.1.1 - Cross-Site Scripting via Name Parameter
Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.
by Am!r
Advanced Text Widget Plugin < 2.0.1 - Cross-Site Scripting via Page Parameter
Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
by Amir
Adminimize < 1.7.22 - Cross-Site Scripting via Page Parameter
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
by Am!r
Digital Attic Foundation CMS - 'id' SQL Injection
by tempe_mendoan
Jetpack - SQL Injection via id Parameter
SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
by longrifle0x
Valid tiny-erp < 1.6 - SQL Injection via SearchField Parameter
Multiple SQL injection vulnerabilities in Valid tiny-erp 1.6 and earlier allow remote attackers to execute arbitrary SQL commands via the SearchField parameter in a search action to (1) _partner_list.php, (2) proioncategory_list.php, (3) _rantevou_list.php, (4) syncategory_list.php, (5) synallasomenos_list.php, (6) ypelaton_list.php, and (7) yproion_list.php.
by muuratsalo
Freelancer Calendar < 1.01 - SQL Injection via SearchField Parameter
Multiple SQL injection vulnerabilities in Freelancer calendar 1.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the SearchField parameter in a search action to (1) category_list.php, (2) Copy_of_calendar_list.php, (3) customer_statistics_list.php, (4) customer_list.php, and (5) task_statistics_list.php in the worldcalendar directory.
by muuratsalo
Blogs Manager < 1.101 - SQL Injection via SearchField Parameter
Multiple SQL injection vulnerabilities in Blogs Manager 1.101 and earlier allow remote attackers to execute arbitrary SQL commands via the SearchField parameter in a search action to (1) _authors_list.php, (2) _blogs_list.php, (3) _category_list.php, (4) _comments_list.php, (5) _policy_list.php, (6) _rate_list.php, (7) categoriesblogs_list.php, (8) chosen_authors_list.php, (9) chosen_blogs_list.php, (10) chosen_comments_list.php, and (11) help_list.php in blogs/.
by muuratsalo
Jetty 5.1.14 6.x < 6.1.17 and 7.x <= 7.0.0.M2 - Path Traversal via URI
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
by Alexey Sintsov
GoAhead Web Server 2.5 - 'goform/formTest' Multiple Cross-Site Scripting Vulnerabilities
by Prabhu S Angadi
ManageEngine ADSelfService Plus 4.5 Build 4521 - Cross-Site Scripting via EmployeeSearch.cc Parameters
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.
by James webb
Flexible Custom Post Type < 0.1.7 - Cross-Site Scripting via edit-post.php id Parameter
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
by Am!r
webERP 4.3.8 - Multiple Script URI Cross-Site Scripting Vulnerabilities
by High-Tech Bridge SA
webERP 4.3.8 - '/reportwriter/ReportMaker.php?reportid' SQL Injection
by High-Tech Bridge SA
webERP 4.3.8 - '/reportwriter/FormMaker.php?ReportID' SQL Injection
by High-Tech Bridge SA
FreeWebshop < 2.2.9 - Remote Code Execution via Ajax File Manager
Static code injection vulnerability in ajax_save_name.php in the Ajax File Manager module in the tinymce plugin in FreeWebshop 2.2.9 R2 and earlier allows remote attackers to inject arbitrary PHP code into data.php via the selected document, as demonstrated by a call to ajax_file_cut.php and then to ajax_save_name.php.
by EgiX
SonicWALL Aventail SRA EX - SQL Injection via prodpage.cfm CategoryID Parameter
SQL injection vulnerability in prodpage.cfm in SonicWALL Aventail allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter.
by Asheesh kumar
QuiXplorer < 2.3 - Unauthenticated Arbitrary File Upload and Remote Code Execution via index.php
Unrestricted file upload vulnerability in QuiXplorer 2.3 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension using the upload action to index.php, then accessing it via a direct request to the file in an unspecified directory.
by PCA
Authenex Strong Authentication System Server 3.1.0.2-3.1.0.3 SQL Injection via Username Parameter
SQL injection vulnerability in akeyActivationLogin.do in Authenex Web Management Control in Authenex Strong Authentication System (ASAS) Server 3.1.0.2 and 3.1.0.3 allows remote attackers to execute arbitrary SQL commands via the username parameter.
by Jose Carlos de Arriba
Optimalog Optima PLC < 1.5.2 - Denial of Service via Malformed Packet
APIFTP Server in Optimalog Optima PLC 1.5.2 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
by Luigi Auriemma
AdRotate < 3.6.8 - SQL Injection via Track Parameter
SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL).
by Miroslav Stampar
By Source