Exploitdb Exploits
31,369 exploits tracked across all sources.
YABSoft Mega File Hosting 1.2 - Remote Code Execution via URL Parameter in cross.php
PHP remote file inclusion vulnerability in cross.php in YABSoft Mega File Hosting 1.2 allows remote attackers to execute arbitrary PHP code via a URL in the url parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences.
by Garry
Ganesha Digital Library 4.0 and 4.2 - SQL Injection via Node Parameter
SQL injection vulnerability in functions/browse.php in Ganesha Digital Library (GDL) 4.0 and 4.2 allows remote attackers to execute arbitrary SQL commands via the node parameter in a browse action to gdl.php.
by g4t3w4y
Sun Java System Messenger Express 6.3-0.15 - 'error' Cross-Site Scripting
by syniack
Beerwin PHPLinkAdmin 1.0 - SQL Injection via linkid Parameter
Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 allow remote attackers to execute arbitrary SQL commands via the linkid parameter to edlink.php, and unspecified other vectors.
by SirGod
PPLive < 1.9.21 - Remote Code Execution via URI Handler Argument Injection
Multiple argument injection vulnerabilities in PPLive.exe in PPLive 1.9.21 and earlier allow remote attackers to execute arbitrary code via a UNC share pathname in the LoadModule argument to the (1) synacast, (2) Play, (3) pplsv, or (4) ppvod URI handler. NOTE: some of these details are obtained from third party information.
by Nine:Situations:Group
YAP Blog 1.1.1 - SQL Injection via Image ID Parameter
Multiple SQL injection vulnerabilities in YAP Blog 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) image_id parameter to comments.php, and remote authenticated administrators to execute arbitrary SQL commands via the (2) user parameter in a modif action to admin/index.php.
by SirGod
UBBCentral UBB.Threads 5.5.1 - 'message' SQL Injection
by s4squatch
phpcomasy 0.9.1 - SQL Injection via entry_id Parameter
SQL injection vulnerability in index.php in phpComasy 0.9.1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter.
by boom3rang
Beerwin PHPLinkAdmin 1.0 - Remote Code Execution via Page Parameter
PHP remote file inclusion vulnerability in linkadmin.php in Beerwin PHPLinkAdmin 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
by SirGod
YAP Blog 1.1.1 - SQL Injection via Image ID Parameter
Multiple SQL injection vulnerabilities in YAP Blog 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) image_id parameter to comments.php, and remote authenticated administrators to execute arbitrary SQL commands via the (2) user parameter in a modif action to admin/index.php.
by Alkindiii
Kim Websites 1.0 - SQL Injection via Username or Password Parameter
Multiple SQL injection vulnerabilities in login.php in Kim Websites 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
by Virangar Security
Elaborate Bytes ElbyCDIO.sys <=6.0.2.0 - DoS
Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier, uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to cause a denial of service (system crash) via a crafted IOCTL call.
by Nikita Tarakanov
TikiWiki CMS/Groupware 2.2 - Cross-Site Scripting via PHP_SELF URI Parameter
Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4) tiki-orphan_pages.php.
by iliz
TikiWiki CMS/Groupware 2.2 - Cross-Site Scripting via PHP_SELF URI Parameter
Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4) tiki-orphan_pages.php.
by iliz
TikiWiki CMS/Groupware 2.2 - Cross-Site Scripting via PHP_SELF URI Parameter
Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4) tiki-orphan_pages.php.
by iliz
phpMySport 1.4 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in index.php in phpMySport 1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) v2 parameter in a member view action, (2) v1 parameter in a news action, (3) v1 parameter in an information action, (4) v2 parameter in a team view action, (5) v2 parameter in a club view action, or (6) v2 parameter in a matches view action.
by XaDoS
PostgreSQL < 8.3.7 DoS via Localized Error Message Encoding
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
by Afonin Denis
IBM Director < 5.20.3 - Denial of Service via Long Consumer Name
The CIM server in IBM Director before 5.20.3 Service Update 2 on Windows allows remote attackers to cause a denial of service (daemon crash) via a long consumer name, as demonstrated by an M-POST request to a long /CIMListener/ URI.
by Bernhard Mueller
WordPress MU < 2.7 - Cross-Site Scripting via HTTP Host Header
Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
by Juan Galiana Lara
PHP-Fusion Mod Book Panel - 'course_id' SQL Injection
by SuB-ZeRo
Joomla! Component Djice Shoutbox 1.0 - Persistent Cross-Site Scripting
by XaDoS
webjump! - SQL Injection via id Parameter
SQL injection vulnerability in Content Management System WEBjump! allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) portfolio_genre.php and (2) news_id.php.
by M3NW5
Echo < 2.1.1 and 3.x < 3.0.b6 - XML External Entity Injection
The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows remote attackers to read arbitrary files via a request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
by SEC Consult
By Source