Exploitdb Exploits
31,357 exploits tracked across all sources.
RadAFFILIATE Links - 'index.php' Cross-Site Scripting
by Moudi
Freelancers 1.0 - Cross-Site Scripting via id or jobid Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Freelancers 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to placebid.php and (2) jobid parameter to post_resume.php.
by Moudi
Freelancers 1.0 - Cross-Site Scripting via id or jobid Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Freelancers 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to placebid.php and (2) jobid parameter to post_resume.php.
by Moudi
Adobe ColdFusion < 8.0.1 - Cross-Site Scripting via startRow Parameter or Query String
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
by Alexander Polyakov
Adobe ColdFusion < 8.0.1 - Cross-Site Scripting via startRow Parameter or Query String
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
by Alexander Polyakov
Adobe ColdFusion < 8.0.1 - Cross-Site Scripting via startRow Parameter or Query String
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
by Alexander Polyakov
Adobe ColdFusion < 8.0.1 - Cross-Site Scripting via startRow Parameter or Query String
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
by Alexander Polyakov
DUWare DUgallery 3.0 - '/admin/edit.asp' Authentication Bypass
by spymeta
2fly Gift Delivery System 6.0 - SQL Injection via gameid Parameter
SQL injection vulnerability in 2fly_gift.php in 2FLY Gift Delivery System 6.0 allows remote attackers to execute arbitrary SQL commands via the gameid parameter in a content action.
by Securitylab.ir
PHP Competition System BETA 0.84 - SQL Injection via Day or Pageno Parameter
Multiple SQL injection vulnerabilities in PHP Competition System BETA 0.84 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) day parameter to show_matchs.php and (2) pageno parameter to persons.php.
by Mr.SQL
Ignition 1.2 - 'comment' Remote Code Injection
by Khashayar Fereidani
DigitalSpinners DS CMS 1.0 - SQL Injection via DetailFile.php nFileId Parameter
SQL injection vulnerability in DetailFile.php in DigitalSpinners DS CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the nFileId parameter.
by Mr.tro0oqy
Sniper Elite 1.0 - Null Pointer Dereference Denial of Service
by Luigi Auriemma
Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
by Przemyslaw Frasunek
CVSS 7.8
Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
by spender
CVSS 7.8
TGS Content Management 0.x - Cross-Site Scripting via login.php previous_page Parameter
Cross-site scripting (XSS) vulnerability in login.php in TGS Content Management 0.x allows remote attackers to inject arbitrary web script or HTML via the previous_page parameter, a different vector than CVE-2008-6839.
by []ViZiOn
TGS Content Management 0.x - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in TGS Content Management 0.x allow remote attackers to execute arbitrary SQL commands via the (1) tgs_language_id, (2) tpl_dir, (3) referer, (4) user-agent, (5) site, (6) option, (7) db_optimization, (8) owner, (9) admin_email, (10) default_language, and (11) db_host parameters to cms/index.php; and the (12) cmd, (13) s_dir, (14) minutes, (15) s_mask, (16) test3_mp, (17) test15_file1, (18) submit, (19) brute_method, (20) ftp_server_port, (21) userfile14, (22) subj, (23) mysql_l, (24) action, and (25) userfile1 parameters to cms/frontpage_ception.php. NOTE: some of these parameters may be applicable only in nonstandard versions of the product, and cms/frontpage_ception.php may be cms/frontpage_caption.php in all released versions.
by []ViZiOn
Anantasoft Gazelle CMS 1.0 - Unauthenticated Arbitrary File Upload via File Manager
Unrestricted file upload vulnerability in admin/editor/filemanager/browser.html in Anantasoft Gazelle CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in user/File/.
by RoMaNcYxHaCkEr
elka CMS - Cross-Site Scripting via Search Feature q Parameter
Cross-site scripting (XSS) vulnerability in the Search feature in elka CMS (aka Elkapax) allows remote attackers to inject arbitrary web script or HTML via the q parameter to the default URI.
by Isfahan
THOMSON ST585 - 'user.ini' Arbitrary Disclosure
by aBo MoHaMeD
Shorty 0.7.1b - (Authentication Bypass) Insecure Cookie Handling
by Pedro Laguna
Plume CMS 1.2.3 - Authenticated SQL Injection via Manager Parameters
Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to execute arbitrary SQL commands via the m parameter to manager/index.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit_link action to manager/tools.php. NOTE: some of these details are obtained from third party information.
by Sense of Security
Gallarific 1.1 - '/gallery.php' Arbitrary Delete/Edit Category
by ilker Kandemir
By Source