Text Exploits

31,392 exploits tracked across all sources.

Sort: Activity Stars
CVE-2009-2167 EXPLOITDB text VERIFIED
EgyPlus 7ammel < 1.0.1 - SQL Injection via Username or Password Parameter
Multiple SQL injection vulnerabilities in cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.
by Qabandi
CVE-2009-2350 EXPLOITDB text VERIFIED
Microsoft Internet Explorer 6.0.2900.2180 - XSS
Microsoft Internet Explorer 6.0.2900.2180 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312.
by MustLive
CVE-2009-0955 EXPLOITDB text VERIFIED
Apple QuickTime < 7.6.2 - Remote Code Execution via Crafted Image Description Atoms
Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted image description atoms in an Apple video file, related to a "sign extension issue."
by webDEViL
EIP-2026-112489 EXPLOITDB text VERIFIED
Supernews 2.6 - 'index.php?noticia' SQL Injection
by DD3str0y3r
CVE-2009-2163 EXPLOITDB text VERIFIED
Sitecore CMS < 6.0.2 - Cross-Site Scripting via sc_error Parameter
Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter.
by intern0t
CVE-2009-2166 EXPLOITDB text VERIFIED
OCS Inventory NG <1.02.1 (Unix) - Path Traversal
Absolute path traversal vulnerability in cvs.php in OCS Inventory NG before 1.02.1 on Unix allows remote attackers to read arbitrary files via a full pathname in the log parameter.
by Nico Leidecker
CVE-2009-4198 EXPLOITDB text VERIFIED
MyMiniBill - Authenticated SQL Injection via orderid Parameter
SQL injection vulnerability in my_orders.php in MyMiniBill allows remote authenticated users to execute arbitrary SQL commands via the orderid parameter in a status action.
by ThE g0bL!N
CVE-2009-4836 EXPLOITDB text VERIFIED
Movie PHP Script 2.0 - Remote Code Execution via Anticode Parameter
Eval injection vulnerability in system/services/init.php in Movie PHP Script 2.0 allows remote attackers to execute arbitrary PHP code via the anticode parameter.
by SirGod
CVE-2009-4202 EXPLOITDB text VERIFIED
Omilen Photo Gallery <Beta 0.5 - Path Traversal
Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
by ByALBAYX
CVE-2009-4199 EXPLOITDB text VERIFIED
Mambo Resident 1.0f - SQL Injection
Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) property_uid parameter in a viewproperty action to index.php and the (2) regID parameter in a showregion action to index.php.
by Chip d3 bi0s
CVE-2009-1938 EXPLOITDB text VERIFIED
Joomla! 1.5-1.5.10 - Cross-Site Scripting via Database Output
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel.
by Airton Torres
EIP-2026-107134 EXPLOITDB text VERIFIED
Flatnux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities
by intern0t
CVE-2009-2168 EXPLOITDB CRITICAL text VERIFIED
EgyPlus 7ammel <1.0.1 - Auth Bypass
cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters.
by Qabandi
CVSS 9.8
CVE-2009-2352 EXPLOITDB text VERIFIED
Google Chrome <= 1.0.154.48 - Cross-Site Scripting via Refresh Header
Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.
by MustLive
CVE-2009-0580 EXPLOITDB text VERIFIED
Apache Tomcat <6.0.18 - Info Disclosure
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
by D. Matscheko
EIP-2026-100358 EXPLOITDB text VERIFIED
i-Gallery 3.4/4.1 - 'streamfile.asp' Multiple Directory Traversal Vulnerabilities
by Stefano Angaran
CVE-2009-4204 EXPLOITDB text VERIFIED
Flashlight Free Edition - SQL Injection
SQL injection vulnerability in read.php in Flashlight Free Edition allows remote attackers to execute arbitrary SQL commands via the id parameter.
by K4m1k451
CVE-2009-1951 EXPLOITDB text VERIFIED
PropertyMax Pro FREE 0.3 - Cross-Site Scripting via pl Parameter in mi Action
Cross-site scripting (XSS) vulnerability in index.php in PropertyMax Pro FREE 0.3 allows remote attackers to inject arbitrary web script or HTML via the pl parameter in a mi action.
by SirGod
CVE-2009-2419 EXPLOITDB text VERIFIED
Apple Safari <4.0.1 - Use After Free
Use-after-free vulnerability in the servePendingRequests function in WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted HTML document that references a zero-length .js file and the JavaScript reload function. NOTE: some of these details are obtained from third party information.
by SkyOut
CVE-2009-1945 EXPLOITDB text VERIFIED
WebCal 3.04 - SQL Injection via event_id Parameter
SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allows remote attackers to execute arbitrary SQL commands via the event_id parameter.
by Bl@ckbe@rD
CVE-2009-1952 EXPLOITDB text VERIFIED
PropertyMax Pro FREE 0.3 - SQL Injection
Multiple SQL injection vulnerabilities in the administrative login feature in PropertyMax Pro FREE 0.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
by SirGod
EIP-2026-111380 EXPLOITDB text VERIFIED
Podcast Generator 1.2 - 'GLOBALS[]' Multiple Vulnerabilities
by StAkeR
EIP-2026-110869 EXPLOITDB text VERIFIED
PHP-Nuke 8.0 Downloads Module - 'query' Cross-Site Scripting
by Schap Security
CVE-2009-2037 EXPLOITDB text VERIFIED
Online Grades & Attendance <3.2.6 - Path Traversal
Multiple directory traversal vulnerabilities in Online Grades & Attendance 3.2.5 and earlier, and possibly 3.2.6, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) GLOBALS[SKIN] parameter to index.php and the (2) skin parameter to admin/admin.php.
by YEnH4ckEr
CVE-2009-4205 EXPLOITDB text VERIFIED
Flashlight Free Edition - Path Traversal
Directory traversal vulnerability in admin.php in Flashlight Free Edition allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter.
by K4m1k451