Exploitdb Exploits
31,369 exploits tracked across all sources.
Jinzora Media Jukebox <2.8 - Path Traversal
Directory traversal vulnerability in index.php in Jinzora Media Jukebox 2.8 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter.
by dun
Orbit Downloader <= 2.8.7 - Arbitrary File Write via ActiveX Control Argument Injection
Argument injection vulnerability in orbitmxt.dll 2.1.0.2 in the Orbit Downloader 2.8.7 and earlier ActiveX control allows remote attackers to overwrite arbitrary files via whitespace and a command-line switch, followed by a full pathname, in the third argument to the download method.
by waraxe
Free Arcade Script 1.0 - Authentication Bypass / Arbitrary File Upload
by Mr.Skonnie
Rittal CMC-TC Processing Unit II - Multiple Vulnerabilities
by Louhi Networks
Siemens Gigaset SE461 WiMAX Router 1.5-BL024.9.6401 - Denial of Service via TCP Port 53 Connection
Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly other versions, allows remote attackers to cause a denial of service (device restart and loss of configuration) by connecting to TCP port 53, then closing the connection.
by Benkei
ExpressionEngine 1.6.4-1.6.6 - Stored Cross-Site Scripting via Avatar Parameter
Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.
by Adam Baldwin
Pixie CMS 1.01a - SQL Injection via Referer HTTP Header
SQL injection vulnerability in the referral function in admin/lib/lib_logs.php in Pixie CMS 1.01a allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header in a request.
by Justin Keane
CloneCD/DVD 'ElbyCDIO.sys' < 6.0.3.2 - Local Privilege Escalation
by NT Internals
Pixie CMS 1.01a - Cross-Site Scripting via Index.php X Parameter
Cross-site scripting (XSS) vulnerability in index.php in Pixie CMS 1.01a allows remote attackers to inject arbitrary web script or HTML via the x parameter.
by Justin Keane
Bloginator 1A - SQL Injection via articleCall.php id Parameter
SQL injection vulnerability in articleCall.php in Bloginator 1A allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Fireshot
Bloginator 1A - SQL Injection via articleCall.php id Parameter
SQL injection vulnerability in articleCall.php in Bloginator 1A allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Fireshot
Bloginator 1A - Unauthenticated Authentication Bypass via identifyYourself Cookie
Bloginator 1A allows remote attackers to bypass authentication and gain administrative access by setting the identifyYourself cookie.
by Fireshot
Xlight FTP Server <3.2.1 - SQL Injection
Multiple SQL injection vulnerabilities in Xlight FTP Server before 3.2.1, when ODBC authentication is enabled, allow remote attackers to execute arbitrary SQL commands via the (1) USER (aka username) or (2) PASS (aka password) command.
by fla
ModSecurity < 2.5.9 - Denial of Service via Multipart Form Data Request
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
by Juan Galiana Lara
Hannon Hill Cascade Server 5.7 - Authenticated Remote Code Execution via XSLT Stylesheet
Hannon Hill Cascade Server 5.7 and other versions allows remote authenticated users to execute arbitrary programs or Java code via a crafted XSLT stylesheet with "extension elements and extension functions" that trigger code execution by Xalan-Java, as demonstrated using xalan://java.lang.Runtime.
by Emory University
DeluxeBB <= 1.3 - SQL Injection via qorder Parameter
SQL injection vulnerability in misc.php in DeluxeBB 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the qorder parameter, a different vector than CVE-2005-2989 and CVE-2006-2503.
by girex
DeluxeBB 1.3 - SQL Injection via xthedateformat Parameter
SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
by girex
YABSoft Advanced Image Hosting Script 2.3 - SQL Injection via Gallery List gal Parameter
SQL injection vulnerability in gallery_list.php in YABSoft Advanced Image Hosting (AIH) Script 2.3 allows remote attackers to execute arbitrary SQL commands via the gal parameter.
by boom3rang
PHPRunner < 4.2 - SQL Injection via SearchField Parameter
Multiple SQL injection vulnerabilities in PHPRunner 4.2, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the SearchField parameter to (1) UserView_list.php, (2) orders_list.php, (3) users_list.php, and (4) Administrator_list.php.
by BugReport.IR
fMoblog plugin 2.1 - SQL Injection via id Parameter
SQL injection vulnerability in fmoblog.php in the fMoblog plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: some of these details are obtained from third party information.
by strange kevin
PHPRunner < 4.2 - Cleartext Storage of Sensitive Information in Database
UserView_list.php in PHPRunner 4.2, and possibly earlier, stores passwords in cleartext in the database, which allows attackers to gain privileges. NOTE: this can be leveraged with a separate SQL injection vulnerability to obtain passwords remotely without authentication.
by BugReport.IR
CVSS 7.5
By Source