Text Exploits
31,392 exploits tracked across all sources.
Swinger Club Portal - Remote Code Execution via Anzeiger Start PHP Go Parameter
PHP remote file inclusion vulnerability in anzeiger/start.php in Swinger Club Portal allows remote attackers to execute arbitrary PHP code via a URL in the go parameter.
by Moudi
Rentventory 1.0.1 - Cross-Site Scripting via Login Parameters
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Rentventory 1.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka Login) and (2) password parameters in a login action.
by 599eme Man
HP Printers - Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an Apply action to the support_param.html/config script.
by sh2kerr
Opial 1.0 - SQL Injection via txtUserName Parameter
SQL injection vulnerability in admin/index.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the txtUserName (aka User Name) parameter. NOTE: some of these details are obtained from third party information.
by Moudi
Rentventory - SQL Injection via Product Parameter
SQL injection vulnerability in index.php in Rentventory allows remote attackers to execute arbitrary SQL commands via the product parameter.
by Moudi
Opial 1.0 - SQL Injection via txtPassword Parameter
SQL injection vulnerability in admin/index.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the txtPassword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Moudi
Opial 1.0 - SQL Injection via albumid Parameter
SQL injection vulnerability in albumdetail.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the albumid parameter.
by ThE g0bL!N
AdminLog 0.5 - 'valid_login' Authentication Bypass
by SirGod
Oracle 10g - 'SYS.LT.COMPRESSWORKSPACETREE' SQL Injection (2)
by Sumit Siddharth
Sourcefire DC/3D Sensor <4.8.2 - Privilege Escalation
The web-based management interfaces in Sourcefire Defense Center (DC) and 3D Sensor before 4.8.2 allow remote authenticated users to gain privileges via a $admin value for the admin parameter in an edit action to admin/user/user.cgi and unspecified other components.
by Gregory Duchemin
CMS Chainuk < 1.2 - Exposure of Sensitive Information via Crafted id Parameter
CMS Chainuk 1.2 and earlier allows remote attackers to obtain sensitive information via (1) a crafted id parameter to index.php or (2) a nonexistent folder name in the id parameter to admin/admin_delete.php, which reveals the installation path in an error message.
by eLwaux
CMS Chainuk < 1.2 - Remote PHP Code Injection via Menu or Title Parameter
Multiple static code injection vulnerabilities in CMS Chainuk 1.2 and earlier allow remote attackers to inject arbitrary PHP code (1) into settings.php via the menu parameter to admin_settings.php or (2) into a content/=NUMBER.php file via the title parameter to admin_new.php.
by eLwaux
CMS Chainuk < 1.2 - Cross-Site Scripting via Admin Menu Parameter
Cross-site scripting (XSS) vulnerability in admin/admin_menu.php in CMS Chainuk 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the menu parameter.
by eLwaux
KerviNet Forum < 1.1 - Unauthenticated SQL Injection and Arbitrary Account Deletion via del_user_id Parameter
admin/edit_user.php in KerviNet Forum 1.1 and earlier does not require administrative authentication, which allows remote attackers to delete arbitrary accounts and conduct SQL injection attacks via the del_user_id parameter.
by eLwaux
KerviNet Forum < 1.1 - Authenticated Cross-Site Scripting via v_variant1 Parameter
Cross-site scripting (XSS) vulnerability in add_voting.php in KerviNet Forum 1.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the v_variant1 parameter.
by eLwaux
KerviNet Forum <1.1 - SQL Injection
Multiple SQL injection vulnerabilities in KerviNet Forum 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) an enter_parol cookie to index.php in an auto action or (2) the topic parameter to message.php. NOTE: vector 2 can be leveraged for a cross-site scripting (XSS) attack.
by eLwaux
KerviNet Forum <1.1 - Info Disclosure
KerviNet Forum 1.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) admin/head.php, or (2) voting_diagram.php, (3) voting.php, (4) topics_search.php, (5) topics_list.php, (6) top_part.php, (7) quick_search.php, (8) quick_reply.php, (9) moder_menu.php, (10) messages_list.php, (11) menu.php, (12) head.php, (13) forums_list.php, (14) forum_statistics.php, (15) forum_info.php, or (16) birthday.php in include_files/, which reveals the installation path in an error message.
by eLwaux
CMS Chainuk < 1.2 - Path Traversal and Arbitrary File Execution via Menu Parameter
Multiple directory traversal vulnerabilities in CMS Chainuk 1.2 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the menu parameter to admin/admin_menu.php, and the id parameter to (2) index.php and (3) admin/admin_edit.php; and (4) delete arbitrary local files via a .. (dot dot) in the id parameter to admin/admin_delete.php. NOTE: vector 2 can be leveraged for static code injection by sending a crafted menu parameter to admin/admin_menu.php, and then sending an id=../menu.csv request to index.php.
by eLwaux
armassa ARD-9808 Software - Unauthenticated Sensitive Information Exposure via Direct Request
The ARD-9808 DVR card security camera stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing usernames and passwords via a direct request for dvr.ini.
by Septemb0x
XOOPS 2.3.3 - Cross-Site Scripting via op Parameter and Query String
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) op parameter to modules/pm/viewpmsg.php and (2) query string to modules/profile/user.php.
by Sense of Security
WordPress Related Sites 2.1 - SQL Injection
SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
by eLwaux
WordPress Plugin DM Albums 1.9.2 - Remote File Disclosure
by Stack
By Source