Exploitdb Exploits

31,369 exploits tracked across all sources.

Sort: Activity Stars
CVE-2009-1653 EXPLOITDB text VERIFIED
TinyButStrong 3.4.0 - Path Traversal via Script Parameter
Directory traversal vulnerability in examples/tbs_us_examples_0view.php in TinyButStrong 3.4.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the script parameter.
by ahmadbady
CVE-2009-2003 EXPLOITDB text VERIFIED
Ascad Networks Password Protector SD <1.3.1 - Auth Bypass
Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin."
by Mr.tro0oqy
EIP-2026-109508 EXPLOITDB text VERIFIED
Mlffat 2.1 - Cookie Authentication Bypass
by Qabandi
EIP-2026-118880 EXPLOITDB text VERIFIED
Microsoft Windows Media Player 11 - ScriptCommand Multiple Information Disclosure Vulnerabilities
by Rosario Valotta
CVE-2009-1780 EXPLOITDB text VERIFIED
Frax.dk Php Recommend <= 1.3 - Unauthenticated Privilege Escalation via Password Change
admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters.
by scriptjunkie
CVE-2009-1779 EXPLOITDB text VERIFIED
Frax.dk Php Recommend < 1.3 - Remote File Inclusion via form_include_template Parameter
PHP remote file inclusion vulnerability in admin.php in Frax.dk Php Recommend 1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the form_include_template parameter.
by scriptjunkie
EIP-2026-117114 EXPLOITDB text VERIFIED
EasyPHP 3.0 - Arbitrary Modify Configuration File
by Zigma
CVE-2009-1781 EXPLOITDB text VERIFIED
Frax.dk Php Recommend < 1.3 - Remote PHP Code Injection via form_aula Parameter
Static code injection vulnerability in admin.php in Frax.dk Php Recommend 1.3 and earlier allows remote attackers to inject arbitrary PHP code into phpre_config.php via the form_aula parameter.
by scriptjunkie
EIP-2026-110329 EXPLOITDB text VERIFIED
openWYSIWYG 1.4.7 - Local Directory Traversal
by StAkeR
EIP-2026-106336 EXPLOITDB text VERIFIED
Dacio's Image Gallery 1.6 - Multiple Remote Vulnerabilities
by ahmadbady
EIP-2026-106335 EXPLOITDB text VERIFIED
Dacio's Image Gallery 1.6 - Directory Traversal / Authentication Bypass / Arbitrary File Upload
by ahmadbady
CVE-2009-1834 EXPLOITDB text VERIFIED
Firefox < 3.0.11 - Location Bar Spoofing via Invalid Unicode IDN Characters
Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows remote attackers to spoof the location bar via an IDN with invalid Unicode characters that are displayed as whitespace, as demonstrated by the \u115A through \u115E characters.
by Pavel Cvrcek
CVE-2009-1391 EXPLOITDB text VERIFIED
Compress::Raw::Zlib Perl Module < 2.017 - Denial of Service via Crafted Zlib Compressed Stream
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
by Leo Bergolth
CVE-2009-2043 EXPLOITDB text VERIFIED
Firefox 3.0.2-3.0.10 - Denial of Service via TinyMCE Interaction
nsViewManager.cpp in Mozilla Firefox 3.0.2 through 3.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to interaction with TinyMCE.
by Bret McMillan
CVE-2009-1662 EXPLOITDB text VERIFIED
Wright Way Services Recipe Script 5 - SQL Injection via Username and Password Fields
Multiple SQL injection vulnerabilities in admin/login.php in Wright Way Services Recipe Script 5 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) Password fields, as reachable from admin/index.php.
by TiGeR-Dz
CVE-2009-1658 EXPLOITDB text VERIFIED
Realty Webware Technologies Realty Web-Base 1.0 - SQL Injection via Username and Password Parameters
Multiple SQL injection vulnerabilities in admin/admin.php in Realty Webware Technologies Realty Web-Base 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user (username) and (2) password parameters. NOTE: some of these details are obtained from third party information.
by ThE g0bL!N
EIP-2026-109249 EXPLOITDB text VERIFIED
MagpieRSS 0.72 - Cross-Site Scripting / HTML Injection
by Justin Klein Keane
CVE-2009-1913 EXPLOITDB text VERIFIED
LuxBum 0.5.5 - SQL Injection via Username Parameter
SQL injection vulnerability in manager.php in LuxBum 0.5.5, when magic_quotes_gpc is disabled and dotclear authentication is used, allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
by knxone
CVE-2009-1907 EXPLOITDB text VERIFIED
Claroline 1.8.11 - Cross-Site Scripting via Referer HTTP Header
Cross-site scripting (XSS) vulnerability in claroline/linker/notfound.php in Claroline 1.8.11 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.
by Gerendi Sandor Attila
CVE-2009-1609 EXPLOITDB text VERIFIED
Battle Blog 1.25 - Unauthenticated Arbitrary File Upload via admin/uploadform.asp
Unrestricted file upload vulnerability in admin/uploadform.asp in Battle Blog 1.25 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.
by Cyber-Zone
CVE-2009-1699 EXPLOITDB HIGH text VERIFIED
Apple Safari < 4.0 - XML External Entity Injection via XSL Stylesheet
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
by Chris Evans
CVSS 7.5
CVE-2009-1804 EXPLOITDB text VERIFIED
VideoScript.us YouTube Video Script - SQL Injection via Username or Password Parameter
Multiple SQL injection vulnerabilities in admin/index.php in VideoScript.us YouTube Video Script allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
by snakespc
CVE-2009-1670 EXPLOITDB text VERIFIED
TCPDB 3.8 - Unauthenticated Admin Account Creation via user/index.php
user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information.
by Mr.tro0oqy
CVE-2009-1799 EXPLOITDB text VERIFIED
ST-Gallery 0.1 alpha - SQL Injection via gallery_category or gallery_show Parameter
Multiple SQL injection vulnerabilities in the getGalleryImage function in st_admin/gallery_output.php in ST-Gallery 0.1 alpha, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) gallery_category or (2) gallery_show parameter to example.php.
by YEnH4ckEr
EIP-2026-103806 EXPLOITDB text VERIFIED
PHP - 'mb_ereg(i)_replace()' Evaluate Replacement String
by 80vul
By Source
All 31,369 Writeup 60,635 Exploitdb 50,056 Nomisec 21,997 Metasploit 3,232 Github 3,019 Vulncheck_xdb 909 Inthewild 514 Gitlab 461 Gitee 415 Patchapalooza 312
By Language
text 31,369 python 6,255 ruby 5,922 c 3,600 perl 2,850 html 2,059 php 1,327 bash 460 java 364 c++ 253 javascript 221 shell 105 go 65 postscript 25 xml 24