Exploitdb Exploits
31,357 exploits tracked across all sources.
Interlogy Profile Manager Basic - SQL Injection
Multiple SQL injection vulnerabilities in cgi/admin.cgi in Interlogy Profile Manager Basic allow remote attackers to execute arbitrary SQL commands via a pmadm cookie in (1) an edittemp action or (2) a users action.
by ZoRLu
Vlad Titarenko ASP VT Auth 1.0 - Unauthenticated Sensitive Information Exposure via Direct Database File Request
Vlad Titarenko ASP VT Auth 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file and obtain usernames and passwords via a direct request for zHk8dEes3.txt.
by ByALBAYX
fipsCMS Light 2.1 - Info Disclosure
fipsCMS Light 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file and obtain sensitive information via a direct request for _fipsdb/db.mdb.
by ByALBAYX
ClanSphere 2009.0 and 2009.0.2 - Cross-Site Scripting via Search Module Text Parameter
Cross-site scripting (XSS) vulnerability in index.php in the search module in ClanSphere 2009.0 and 2009.0.2 allows remote attackers to inject arbitrary web script or HTML via the text parameter in a list action. NOTE: this might overlap CVE-2008-1399.
by 599eme Man
America's Army 3.0.4 - Invalid Query Remote Denial of Service
by Luigi Auriemma
LogMeIn 4.0.784 - 'cfgadvanced.html' HTTP Header Injection
by Inferno
Kjtechforce Mailman Beta1 - SQL Injection
Multiple SQL injection vulnerabilities in Kjtechforce mailman beta1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the code parameter to activate.php or (2) the dest parameter to index.php.
by YEnH4ckEr
Horde Passwd < 3.1 - Cross-Site Scripting via Backend Parameter
Cross-site scripting (XSS) vulnerability in passwd/main.php in the Passwd module before 3.1.1 for Horde allows remote attackers to inject arbitrary web script or HTML via the backend parameter.
by anonymous
Web Directory Pro - Info Disclosure
Web Directory Pro allows remote attackers to (1) backup the database and obtain the backup via a direct request to admin/backup_db.php or (2) modify configuration via a direct request to admin/options.php.
by TiGeR-Dz
Online Armor Personal Firewall < 3.5.0.14 - Privilege Escalation via OAmon.sys IOCTL
The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online Armor Personal Firewall AV+ before 3.5.0.12, and Personal Firewall 3.5 before 3.5.0.14, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\OAmon containing arbitrary kernel addresses, as demonstrated using the 0x830020C3 IOCTL.
by NT Internals
SuperCali PHP Event Calendar - Arbitrary Change Admin Password
by TiGeR-Dz
EgyPlus 7ammel < 1.0.1 - SQL Injection via Username or Password Parameter
Multiple SQL injection vulnerabilities in cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.
by Qabandi
Microsoft Internet Explorer 6.0.2900.2180 - XSS
Microsoft Internet Explorer 6.0.2900.2180 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312.
by MustLive
Apple QuickTime < 7.6.2 - Remote Code Execution via Crafted Image Description Atoms
Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted image description atoms in an Apple video file, related to a "sign extension issue."
by webDEViL
Supernews 2.6 - 'index.php?noticia' SQL Injection
by DD3str0y3r
Sitecore CMS < 6.0.2 - Cross-Site Scripting via sc_error Parameter
Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter.
by intern0t
OCS Inventory NG <1.02.1 (Unix) - Path Traversal
Absolute path traversal vulnerability in cvs.php in OCS Inventory NG before 1.02.1 on Unix allows remote attackers to read arbitrary files via a full pathname in the log parameter.
by Nico Leidecker
MyMiniBill - Authenticated SQL Injection via orderid Parameter
SQL injection vulnerability in my_orders.php in MyMiniBill allows remote authenticated users to execute arbitrary SQL commands via the orderid parameter in a status action.
by ThE g0bL!N
Movie PHP Script 2.0 - Remote Code Execution via Anticode Parameter
Eval injection vulnerability in system/services/init.php in Movie PHP Script 2.0 allows remote attackers to execute arbitrary PHP code via the anticode parameter.
by SirGod
Omilen Photo Gallery <Beta 0.5 - Path Traversal
Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
by ByALBAYX
Mambo Resident 1.0f - SQL Injection
Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) property_uid parameter in a viewproperty action to index.php and the (2) regID parameter in a showregion action to index.php.
by Chip d3 bi0s
By Source