Exploitdb Exploits
31,357 exploits tracked across all sources.
CutePHP CuteNews 1.4.6 and UTF-8 CuteNews < 8b - Cross-Site Request Forgery via Edit Users Action
Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of administrators for requests that create new users, including a new administrator, via an adduser action in the editusers module in index.php.
by Andrew Horton
CutePHP CuteNews <8b - Info Disclosure
CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to obtain sensitive information via an invalid date value in the from_date_day parameter to search.php, which reveals the installation path in an error message.
by Andrew Horton
Apache HTTP Server < 2.2.14 - Plaintext Injection via TLS Renegotiation
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
by Dan Kaminsky
WP-Cumulus < 1.23 - Cross-Site Scripting via Tagcloud Parameter
Cross-site scripting (XSS) vulnerability in Roy Tanck tagcloud.swf, as used in the WP-Cumulus plugin before 1.23 for WordPress and the Joomulus module 2.0 and earlier for Joomla!, allows remote attackers to inject arbitrary web script or HTML via the tagcloud parameter in a tags action. Cross-site scripting (XSS) vulnerability in tagcloud.swf in the WP-Cumulus Plug-in before 1.23 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tagcloud parameter.
by MustLive
Blender 2.49b - '.blend' Remote Command Execution
by Fernando Russ
Apache Tomcat - Form Authentication 'Username' Enumeration
by D. Matscheko
Apache Tomcat - Cookie Quote Handling Remote Information Disclosure
by John Kew
Apache mod_perl - Cross-Site Scripting via URI Parameter in Apache::Status
Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI.
by Richard H. Brain
Adobe Acrobat and Reader < 9.2 - Remote Code Execution
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.
by Felipe Andres Manzano
OpenLDAP 2.3.39 - MODRDN Remote Denial of Service
by Ralf Haferkamp
Linux kernel <2.6.32 - Local Privilege Escalation
The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions.
by Akira Fujita
ToutVirtual VirtualIQ Pro 3.2 build 7882 and 3.5 build 8691 - Cross-Site Request Forgery
Multiple cross-site request forgery (CSRF) vulnerabilities in ToutVirtual VirtualIQ Pro 3.2 build 7882 and 3.5 build 8691 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new user account via a save action to tvserver/user/user.do, (2) shutdown a virtual machine, (3) start a virtual machine, (4) restart a virtual machine, or (5) schedule an activity.
by Alberto Trivero
PHP 5.3.0 - 'pdflib' Arbitrary File Write
by Sina Yazdanmehr
McAfee IntruShield Network Security Manager < 5.1.11.6 - Cross-Site Scripting via Login.jsp Parameters
Multiple cross-site scripting (XSS) vulnerabilities in intruvert/jsp/module/Login.jsp in McAfee IntruShield Network Security Manager (NSM) before 5.1.11.6 allow remote attackers to inject arbitrary web script or HTML via the (1) iaction or (2) node parameter.
by Daniel King
McAfee IntruShield Network Security Manager < 5.1.11.8.1 - Cross-Site Scripting via Session Cookie
McAfee IntruShield Network Security Manager (NSM) before 5.1.11.8.1 does not include the HTTPOnly flag in the Set-Cookie header for the session identifier, which allows remote attackers to hijack a session by leveraging a cross-site scripting (XSS) vulnerability.
by Daniel King
Kingsoft Internet Security 9 - Denial of Service
by Francis Provencher
Blender 2.34, 2.35a, 2.40, 2.49b - Remote Code Execution via ScriptLink SDNA onLoad Action
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA.
by Core Security
Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (1)
by Abysssec
Adobe Shockwave Player < 11.5.1.601 - Heap-Based Buffer Overflow via PlayerVersion Property
Heap-based buffer overflow in the SwDir.dll ActiveX control in Adobe Shockwave Player 11.5.1.601 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long PlayerVersion property value.
by Francis Provencher
Xerox Fiery Webtools - SQL Injection
SQL injection vulnerability in summary.php in Xerox Fiery Webtools allows remote attackers to execute arbitrary SQL commands via the select parameter.
by Bernardo Trigo
Rhino Software Serv-U Web Client 9.0.0.5 - Stack-Based Buffer Overflow via Long Session Cookie
Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash) or execute arbitrary code via a long Session cookie.
by Nikolas Rangos
TFTgallery 0.13 - Cross-Site Scripting via Sample Parameter
Cross-site scripting (XSS) vulnerability in settings.php in TFTgallery 0.13 allows remote attackers to inject arbitrary web script or HTML via the sample parameter.
by blake
TFTgallery 0.13 - Path Traversal via Album Parameter
Directory traversal vulnerability in index.php in TFTgallery 0.13 allows remote attackers to read arbitrary files via a ..%2F (encoded dot dot slash) in the album parameter.
by blake
Twilight CMS < 4.1 - Cross-Site Scripting via News Calendar Parameter
Cross-site scripting (XSS) vulnerability in the default URI in news/ in Twilight CMS before 4.1 allows remote attackers to inject arbitrary web script or HTML via the calendar parameter. NOTE: some of these details are obtained from third party information.
by Vladimir Vorontsov
By Source