Exploitdb Exploits

31,369 exploits tracked across all sources.

Sort: Activity Stars
CVE-2009-1447 EXPLOITDB text VERIFIED
e-cart Free Shopping Cart - Unauthenticated Arbitrary File Upload and Remote Code Execution via Image Editor
Unrestricted file upload vulnerability in admin/editor/image.php in e-cart.biz Free Shopping Cart allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/.
by ahmadbady
EIP-2026-105878 EXPLOITDB text VERIFIED
ClanTiger < 1.1.1 - Multiple Insecure Cookie Handling Vulnerabilities
by YEnH4ckEr
EIP-2026-105877 EXPLOITDB text VERIFIED
ClanTiger 1.1.1 - Authentication Bypass
by YEnH4ckEr
CVE-2009-5114 EXPLOITDB text VERIFIED
iwork WebGlimpse < 2.18.7 - Path Traversal via DOC Parameter
Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
by MustLive
CVE-2009-1347 EXPLOITDB text VERIFIED
chCounter 3.1.3 - SQL Injection via Login Name or Password Parameter
Multiple SQL injection vulnerabilities in stats/index.php in chCounter 3.1.3 allow remote attackers to execute arbitrary SQL commands via (1) the login_name parameter (aka the username field) or (2) the login_pw parameter (aka the password field).
by tmh
EIP-2026-119333 EXPLOITDB text VERIFIED
Zervit Web Server 0.02 - Directory Traversal
by e.wiZz!
CVE-2009-1408 EXPLOITDB text VERIFIED
webSPELL 4.2.0c - Cross-Site Scripting via Nested BBcode Tags
Cross-site scripting (XSS) vulnerability in webSPELL 4.2.0c allows remote attackers to inject arbitrary web script or HTML allows remote attackers to inject arbitrary web script or HTML via Javascript events such as onmouseover in nested BBcode tags, as demonstrated using (1) email, (2) img, and (3) url tags.
by YEnH4ckEr
CVE-2009-1452 EXPLOITDB text VERIFIED
SMA-DB 0.3.13 - Remote Code Execution via _page_css or _page_javascript Parameter
Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters. NOTE: the _page_content vector is already is covered by CVE-2009-1450.
by JosS
CVE-2009-1458 EXPLOITDB text VERIFIED
razorcms < 0.4 - Cross-Site Scripting via slab, catname, or cat Parameter
Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in razorCMS before 0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the slab parameter in an edit action, (2) the catname parameter in a showcats action, and (3) the cat parameter in a reordercat action.
by Jeremi Gosney
EIP-2026-110607 EXPLOITDB text VERIFIED
Phorum 5.2 - 'versioncheck.php?upgrade_available' Cross-Site Scripting
by voodoo-labs
EIP-2026-110606 EXPLOITDB text VERIFIED
Phorum 5.2 - '/admin/users.php' Multiple Cross-Site Scripting Vulnerabilities
by voodoo-labs
EIP-2026-110605 EXPLOITDB text VERIFIED
Phorum 5.2 - '/admin/banlist.php?curr' Cross-Site Scripting
by voodoo-labs
EIP-2026-110604 EXPLOITDB text VERIFIED
Phorum 5.2 - '/admin/badwords.php?curr' Cross-Site Scripting
by voodoo-labs
EIP-2026-110154 EXPLOITDB text VERIFIED
Online Password Manager 4.1 - Insecure Cookie Handling
by ZoRLu
CVE-2009-1346 EXPLOITDB text VERIFIED
NetHoteles 3.0 - SQL Injection via id_establecimiento Parameter
SQL injection vulnerability in publico/ficha.php in NetHoteles 3.0 allows remote attackers to execute arbitrary SQL commands via the id_establecimiento parameter.
by snakespc
EIP-2026-109881 EXPLOITDB text VERIFIED
NetHoteles 2.0/3.0 - Authentication Bypass
by Dns-Team
CVE-2009-1916 EXPLOITDB text VERIFIED
GScripts.net DNS Tools - OS Command Injection via dig.php ns Parameter
dig.php in GScripts.net DNS Tools allows remote attackers to execute arbitrary commands via shell metacharacters in the ns parameter.
by SirGod
CVE-2009-1345 EXPLOITDB text VERIFIED
cpCommerce 1.2.8 - SQL Injection via id_document Parameter
SQL injection vulnerability in document.php in cpCommerce 1.2.8 allows remote attackers to execute arbitrary SQL commands via the id_document parameter.
by NoGe
CVE-2009-1362 EXPLOITDB text VERIFIED
chcounter 3.1.3 - SQL Injection via login_name Parameter
SQL injection vulnerability in administration/index.php in chCounter 3.1.3 allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by tmh
CVE-2009-0038 EXPLOITDB text VERIFIED
Apache Geronimo Application Server <2.1.3 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.
by DSecRG
CVE-2009-0038 EXPLOITDB text VERIFIED
Apache Geronimo Application Server <2.1.3 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.
by DSecRG
CVE-2008-5518 EXPLOITDB text VERIFIED
Apache Geronimo Application Server <2.1.3 - Path Traversal
Multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows allow remote attackers to upload files to arbitrary directories via directory traversal sequences in the (1) group, (2) artifact, (3) version, or (4) fileType parameter to console/portal//Services/Repository (aka the Services/Repository portlet); the (5) createDB parameter to console/portal/Embedded DB/DB Manager (aka the Embedded DB/DB Manager portlet); or the (6) filename parameter to the createKeystore script in the Security/Keystores portlet.
by DSecRG
CVE-2009-0981 EXPLOITDB text VERIFIED
Oracle Database 11.1.0.7 - Info Disclosure
Unspecified vulnerability in the Application Express component in Oracle Database 11.1.0.7 allows remote authenticated users to affect confidentiality, related to APEX. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue allows remote authenticated users to obtain APEX password hashes from the WWV_FLOW_USERS table via a SELECT statement.
by Alexander Kornbrust
CVE-2009-0307 EXPLOITDB text VERIFIED
RIM BlackBerry Enterprise Server <4.1.6 MR5 - XSS
Cross-site scripting (XSS) vulnerability in the "Customize Statistics Page" (admin/statistics/ConfigureStatistics) in the MDS Connection Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) before 4.1.6 MR5 allows remote attackers to inject arbitrary web script or HTML via the (1) customDate, (2) interval, (3) lastCustomInterval, (4) lastIntervalLength, (5) nextCustomInterval, (6) nextIntervalLength, (7) action, (8) delIntervalIndex, (9) addStatIndex, (10) delStatIndex, and (11) referenceTime parameters.
by Ken Millar
CVE-2009-1353 EXPLOITDB text VERIFIED
Zervit Webserver 0.02 - Buffer Overflow via Long URI
Buffer overflow in the http_parse_hex function in libz/misc.c in Zervit Webserver 0.02 allows remote attackers to cause a denial of service (daemon crash) via a long URI, related to http.c.
by e.wiZz!
By Source
All 31,369 Writeup 60,656 Exploitdb 50,056 Nomisec 21,999 Metasploit 3,233 Github 3,028 Vulncheck_xdb 909 Inthewild 514 Gitlab 461 Gitee 415 Patchapalooza 312
By Language
text 31,369 python 6,263 ruby 5,923 c 3,600 perl 2,850 html 2,059 php 1,327 bash 460 java 364 c++ 253 javascript 221 shell 105 go 65 postscript 25 xml 24