Exploitdb Exploits

31,357 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-103414 EXPLOITDB text VERIFIED
Apple Safari 4.x - JavaScript Reload Remote Crash
by SkyOut
CVE-2009-2344 EXPLOITDB text VERIFIED
Sourcefire DC/3D Sensor <4.8.2 - Privilege Escalation
The web-based management interfaces in Sourcefire Defense Center (DC) and 3D Sensor before 4.8.2 allow remote authenticated users to gain privileges via a $admin value for the admin parameter in an edit action to admin/user/user.cgi and unspecified other components.
by Gregory Duchemin
CVE-2009-2332 EXPLOITDB text VERIFIED
CMS Chainuk < 1.2 - Exposure of Sensitive Information via Crafted id Parameter
CMS Chainuk 1.2 and earlier allows remote attackers to obtain sensitive information via (1) a crafted id parameter to index.php or (2) a nonexistent folder name in the id parameter to admin/admin_delete.php, which reveals the installation path in an error message.
by eLwaux
CVE-2009-2331 EXPLOITDB text VERIFIED
CMS Chainuk < 1.2 - Remote PHP Code Injection via Menu or Title Parameter
Multiple static code injection vulnerabilities in CMS Chainuk 1.2 and earlier allow remote attackers to inject arbitrary PHP code (1) into settings.php via the menu parameter to admin_settings.php or (2) into a content/=NUMBER.php file via the title parameter to admin_new.php.
by eLwaux
CVE-2009-2330 EXPLOITDB text VERIFIED
CMS Chainuk < 1.2 - Cross-Site Scripting via Admin Menu Parameter
Cross-site scripting (XSS) vulnerability in admin/admin_menu.php in CMS Chainuk 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the menu parameter.
by eLwaux
CVE-2009-2328 EXPLOITDB text VERIFIED
KerviNet Forum < 1.1 - Unauthenticated SQL Injection and Arbitrary Account Deletion via del_user_id Parameter
admin/edit_user.php in KerviNet Forum 1.1 and earlier does not require administrative authentication, which allows remote attackers to delete arbitrary accounts and conduct SQL injection attacks via the del_user_id parameter.
by eLwaux
CVE-2009-2327 EXPLOITDB text VERIFIED
KerviNet Forum < 1.1 - Authenticated Cross-Site Scripting via v_variant1 Parameter
Cross-site scripting (XSS) vulnerability in add_voting.php in KerviNet Forum 1.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the v_variant1 parameter.
by eLwaux
CVE-2009-2326 EXPLOITDB text VERIFIED
KerviNet Forum <1.1 - SQL Injection
Multiple SQL injection vulnerabilities in KerviNet Forum 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) an enter_parol cookie to index.php in an auto action or (2) the topic parameter to message.php. NOTE: vector 2 can be leveraged for a cross-site scripting (XSS) attack.
by eLwaux
EIP-2026-109429 EXPLOITDB text VERIFIED
Messages Library 2.0 - Insecure Cookie Handling
by Stack
CVE-2009-2329 EXPLOITDB text VERIFIED
KerviNet Forum <1.1 - Info Disclosure
KerviNet Forum 1.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) admin/head.php, or (2) voting_diagram.php, (3) voting.php, (4) topics_search.php, (5) topics_list.php, (6) top_part.php, (7) quick_search.php, (8) quick_reply.php, (9) moder_menu.php, (10) messages_list.php, (11) menu.php, (12) head.php, (13) forums_list.php, (14) forum_statistics.php, (15) forum_info.php, or (16) birthday.php in include_files/, which reveals the installation path in an error message.
by eLwaux
CVE-2009-2333 EXPLOITDB text VERIFIED
CMS Chainuk < 1.2 - Path Traversal and Arbitrary File Execution via Menu Parameter
Multiple directory traversal vulnerabilities in CMS Chainuk 1.2 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the menu parameter to admin/admin_menu.php, and the id parameter to (2) index.php and (3) admin/admin_edit.php; and (4) delete arbitrary local files via a .. (dot dot) in the id parameter to admin/admin_delete.php. NOTE: vector 2 can be leveraged for static code injection by sending a crafted menu parameter to admin/admin_menu.php, and then sending an id=../menu.csv request to index.php.
by eLwaux
CVE-2009-2306 EXPLOITDB text VERIFIED
armassa ARD-9808 Software - Unauthenticated Sensitive Information Exposure via Direct Request
The ARD-9808 DVR card security camera stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing usernames and passwords via a direct request for dvr.ini.
by Septemb0x
CVE-2009-2783 EXPLOITDB text VERIFIED
XOOPS 2.3.3 - Cross-Site Scripting via op Parameter and Query String
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) op parameter to modules/pm/viewpmsg.php and (2) query string to modules/profile/user.php.
by Sense of Security
CVE-2009-2383 EXPLOITDB text VERIFIED
WordPress Related Sites 2.1 - SQL Injection
SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
by eLwaux
EIP-2026-113684 EXPLOITDB text VERIFIED
WordPress Plugin DM Albums 1.9.2 - Remote File Disclosure
by Stack
EIP-2026-112800 EXPLOITDB text VERIFIED
tsep 0.942.02 - Multiple Vulnerabilities
by eLwaux
CVE-2009-2382 EXPLOITDB CRITICAL text VERIFIED
phpMyBlockchecker 1.0.0055 - Auth Bypass
admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to bypass authentication and gain administrative access by setting the PHPMYBCAdmin cookie to LOGGEDIN.
by SirGod
CVSS 9.8
CVE-2009-3152 EXPLOITDB text VERIFIED
NTSOFT BBS E-Market Professional - Cross-Site Scripting via Page, bt_code, or b_no Parameters
Multiple cross-site scripting (XSS) vulnerabilities in becommunity/community/index.php in NTSOFT BBS E-Market Professional allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) bt_code, and (3) b_no parameters in a board view action.
by Ivan Sanchez
CVE-2009-2307 EXPLOITDB text VERIFIED
maxdev cwguestbook < 2.1 - SQL Injection via rid Parameter
SQL injection vulnerability in the CWGuestBook module 2.1 and earlier for MAXdev MDPro (aka MD-Pro) allows remote attackers to execute arbitrary SQL commands via the rid parameter in a viewrecords action to modules.php.
by Dante90
CVE-2009-2378 EXPLOITDB text VERIFIED
Jax FormMailer 3.0.0 - Remote Code Execution via BASE_DIR Parameter
PHP remote file inclusion vulnerability in formmailer.admin.inc.php in Jax FormMailer 3.0.0 allows remote attackers to execute arbitrary PHP code via a URL in the BASE_DIR[jax_formmailer] parameter.
by ahmadbady
EIP-2026-106478 EXPLOITDB text VERIFIED
DM FileManager 3.9.4 - Remote File Disclosure
by Stack
CVE-2009-2379 EXPLOITDB text VERIFIED
BIGACE Web CMS 2.6 - Path Traversal
Directory traversal vulnerability in public/index.php in BIGACE Web CMS 2.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cmd parameter.
by CWD@rBe
CVE-2009-2396 EXPLOITDB text VERIFIED
DM Albums 1.9.2 - Remote Code Execution via SECURITY_FILE Parameter
PHP remote file inclusion vulnerability in template/album.php in DM Albums 1.9.2, as used standalone or as a WordPress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter.
by Septemb0x
EIP-2026-113421 EXPLOITDB text VERIFIED
WHOISCART - Authentication Bypass / Information Disclosure
by SecurityRules
CVE-2009-2398 EXPLOITDB text VERIFIED
PHP-Sugar 0.80 - Path Traversal via t Parameter
Directory traversal vulnerability in test/index.php in PHP-Sugar 0.80 allows remote attackers to read arbitrary files via a ..// (dot dot slash slash) in the t parameter.
by ahmadbady
By Source
All 31,357 Writeup 60,559 Exploitdb 50,033 Nomisec 21,988 Metasploit 3,232 Github 3,002 Vulncheck_xdb 909 Inthewild 514 Gitlab 455 Gitee 415 Patchapalooza 312
By Language
text 31,357 python 6,239 ruby 5,922 c 3,595 perl 2,850 html 2,059 php 1,327 bash 460 java 364 c++ 253 javascript 220 shell 102 go 65 postscript 25 xml 24