Exploitdb Exploits
31,357 exploits tracked across all sources.
Joomla! 1.5-1.5.10 - Cross-Site Scripting via Database Output
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel.
by Airton Torres
Flatnux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities
by intern0t
EgyPlus 7ammel <1.0.1 - Auth Bypass
cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters.
by Qabandi
CVSS 9.8
Google Chrome <= 1.0.154.48 - Cross-Site Scripting via Refresh Header
Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.
by MustLive
Apache Tomcat <6.0.18 - Info Disclosure
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
by D. Matscheko
i-Gallery 3.4/4.1 - 'streamfile.asp' Multiple Directory Traversal Vulnerabilities
by Stefano Angaran
Flashlight Free Edition - SQL Injection
SQL injection vulnerability in read.php in Flashlight Free Edition allows remote attackers to execute arbitrary SQL commands via the id parameter.
by K4m1k451
PropertyMax Pro FREE 0.3 - Cross-Site Scripting via pl Parameter in mi Action
Cross-site scripting (XSS) vulnerability in index.php in PropertyMax Pro FREE 0.3 allows remote attackers to inject arbitrary web script or HTML via the pl parameter in a mi action.
by SirGod
Apple Safari <4.0.1 - Use After Free
Use-after-free vulnerability in the servePendingRequests function in WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted HTML document that references a zero-length .js file and the JavaScript reload function. NOTE: some of these details are obtained from third party information.
by SkyOut
WebCal 3.04 - SQL Injection via event_id Parameter
SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allows remote attackers to execute arbitrary SQL commands via the event_id parameter.
by Bl@ckbe@rD
PropertyMax Pro FREE 0.3 - SQL Injection
Multiple SQL injection vulnerabilities in the administrative login feature in PropertyMax Pro FREE 0.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
by SirGod
Podcast Generator 1.2 - 'GLOBALS[]' Multiple Vulnerabilities
by StAkeR
PHP-Nuke 8.0 Downloads Module - 'query' Cross-Site Scripting
by Schap Security
Online Grades & Attendance <3.2.6 - Path Traversal
Multiple directory traversal vulnerabilities in Online Grades & Attendance 3.2.5 and earlier, and possibly 3.2.6, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) GLOBALS[SKIN] parameter to index.php and the (2) skin parameter to admin/admin.php.
by YEnH4ckEr
Flashlight Free Edition - Path Traversal
Directory traversal vulnerability in admin.php in Flashlight Free Edition allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter.
by K4m1k451
Alstrasoft Article Manager Pro - Arbitrary File Upload
by ZoRLu
WebEyes Guest Book 3 - SQL Injection
SQL injection vulnerability in yorum.asp in WebEyes Guest Book 3 allows remote attackers to execute arbitrary SQL commands via the mesajid parameter.
by Bl@ckbe@rD
Unclassified NewsBoard 1.6.4 - Path Traversal and Arbitrary File Read via GLOBALS Parameter
Multiple directory traversal vulnerabilities in forum.php in Unclassified NewsBoard (UNB) 1.6.4, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to (1) read arbitrary recently-modified files via a .. (dot dot) in the GLOBALS[filename] parameter or (2) include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[UTE][__tplCollection][a][file] parameter.
by girex
Unclassified NewsBoard (UNB) 1.6.4 - SQL Injection
SQL injection vulnerability in the UnbDbEncode function in unb_lib/database.lib.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to execute arbitrary SQL commands via the Query parameter in a search action to forum.php, a different vector than CVE-2005-3686.
by girex
AIMP 2.51 build 330 - Stack-based Buffer Overflow via Long ID3 Tag
Stack-based buffer overflow in AIMP 2.51 build 330 allows remote attackers to execute arbitrary code via an MP3 file with a long ID3 tag.
by LiquidWorm
Unclassified NewsBoard (UNB) <1.6.4 - Info Disclosure
import_wbb1.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message.
by girex
PAD Site Scripts <3.6 - Info Disclosure
PAD Site Scripts 3.6 stores sensitive information under the web document root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for dbbackup.txt.
by TiGeR-Dz
Open-school 1.0 - SQL Injection via os_news Module id Parameter
SQL injection vulnerability in the os_news module in Open-school (OS) 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action to index.php.
by OzX
Online Grades & Attendance <3.2.6 - SQL Injection
Multiple SQL injection vulnerabilities in Online Grades & Attendance 3.2.6 and earlier allow (1) remote attackers to execute arbitrary SQL commands via the key parameter in a resetpass action to index.php and (2) remote authenticated users to execute arbitrary SQL commands via the ADD parameter in a mailto action to parents/parents.php.
by YEnH4ckEr
OCS Inventory NG 1.02 - SQL Injection via download.php Parameters or group_show.php SYSTEMID
Multiple SQL injection vulnerabilities in Open Computer and Software (OCS) Inventory NG 1.02 for Unix allow remote attackers to execute arbitrary SQL commands via the (1) N, (2) DL, (3) O and (4) V parameters to download.php and the (5) SYSTEMID parameter to group_show.php.
by Nico Leidecker
By Source