Text Exploits
31,394 exploits tracked across all sources.
phpcksec 0.2 - Cross-Site Scripting via Path Parameter
Cross-site scripting (XSS) vulnerability in phpcksec.php in Stefan Ott phpcksec 0.2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.
by ahmadbady
K&S Shopsoftware - Unauthenticated Arbitrary File Upload via Admin Image Editor
Unrestricted file upload vulnerability in admin/editor/images.php in K&S Shopsoftware allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/upload/.
by mNt
Joomla! com_tech_article 1.0 - SQL Injection
SQL injection vulnerability in the Tech Articles (com_tech_article) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the item parameter to index.php.
by InjEctOr5
PHP 'python' Extension - 'safe_mode' Local Bypass
by Amir Salmani
Liberum Help Desk <= 0.97.3 - SQL Injection via id or uid Parameter
Multiple SQL injection vulnerabilities in Doug Luxem Liberum Help Desk 0.97.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) uid parameter to (a) inout/status.asp, (b) inout/update.asp, and (c) forgotpass.asp. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
by Cold Zero
Zelta E Store - Arbitrary File Upload / Bypass / SQL Injection / Blind SQL Injection
by ZoRLu
Liberum Help Desk 0.97.3 - Info Disclosure
Doug Luxem Liberum Help Desk 0.97.3 stores db/helpdesk2000.mdb under the web root with insufficient access control, which allows remote attackers to obtain passwords via a direct request.
by Cold Zero
Farsi Script Faupload - SQL Injection
SQL injection vulnerability in download.php in Farsi Script Faupload allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Aria-Security Team
Barracuda Spam Firewall <3.5.12.007 - SQL Injection
SQL injection vulnerability in index.cgi in the Account View page in Barracuda Spam Firewall (BSF) before 3.5.12.007 allows remote authenticated administrators to execute arbitrary SQL commands via a pattern_x parameter in a search_count_equals action, as demonstrated by the pattern_0 parameter.
by Marian Ventuneac
Web Wiz Guestbook 6.0 and 8.21 - Unauthenticated Sensitive Information Exposure via Direct Database Request
Web Wiz Guestbook 6.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for database/WWGguestbook.mdb. NOTE: it was later reported that 8.21 is also affected.
by Cold Zero
Nukedit 4.9.8 - Unauthenticated Sensitive Information Exposure via Direct Database File Access
Nukedit 4.9.8 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing usernames and passwords via a direct request for database/dbsite.mdb.
by Cyber.Zer0
gNews Publisher - SQL Injection via authorID Parameter
SQL injection vulnerability in authors.asp in gNews Publisher allows remote attackers to execute arbitrary SQL commands via the authorID parameter.
by AlpHaNiX
BabbleBoard 1.1.6 - Authenticated Cross-Site Request Forgery
Cross-site request forgery (CSRF) vulnerability in index.php in BabbleBoard 1.1.6 allows remote authenticated users to hijack the authentication of administrators for requests that delete (1) categories or (2) groups; (3) ban users; or (4) delete users via the admin page.
by SirGod
Aperto Blog 0.1.1 - SQL Injection
SQL injection vulnerability in categories.php in Aperto Blog 0.1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by NoGe
WorkSimple 1.2.1 - Remote Code Execution via Lang Parameter
PHP remote file inclusion vulnerability in calendar.php in WorkSimple 1.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter.
by Osirys
ClickAndEmail - SQL Injection via ID Parameter or Admin Credentials
Multiple SQL injection vulnerabilities in ClickAndEmail allow remote attackers to execute arbitrary SQL commands via (1) the ID parameter to admin_dblayers.asp in an update action, (2) the adminid parameter to admin_loginCheck.asp (aka the USERNAME field in admin_main.asp), and (3) the PassWord parameter to admin_loginCheck.asp (aka the PASSWORD field in admin_main.asp). NOTE: some of these details are obtained from third party information.
by AlpHaNiX
Click&Rank - SQL Injection via id or userid or PassWord Parameter
Multiple SQL injection vulnerabilities in Click&Rank allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) hitcounter.asp, (2) user_delete.asp, and (3) user_update.asp; (4) the userid parameter to admin_login.asp (aka the USERNAME field in admin.asp); and (5) the PassWord parameter to admin_login.asp (aka the PASSWORD field in admin.asp). NOTE: some of these details are obtained from third party information.
by AlpHaNiX
XOOPS 0.22 - Print Module - SQL Injection
SQL injection vulnerability in print.php in the AM Events (aka Amevents) module 0.22 for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.
by nétRoot
WorkSimple 1.2.1 - Unauthenticated Sensitive Information Exposure via Direct Request
WorkSimple 1.2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing usernames and passwords via a direct request for data/usr.txt.
by Osirys
The Rat CMS Alpha 2 - SQL Injection via login.php user_id and password Parameters
Multiple SQL injection vulnerabilities in login.php in The Rat CMS Alpha 2 allow remote attackers to execute arbitrary SQL commands via the (1) user_id and (2) password parameter.
by x0r
injader < 2.1.1 - Cross-Site Scripting in Profile Editing Functionality
Cross-site scripting (XSS) vulnerability in the profile editing functionality in Injader before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information.
by anonymous
Free Links Directory Script <1.2a - SQL Injection
SQL injection vulnerability in lpro.php in Free Links Directory Script (FLDS) 1.2a allows remote attackers to execute arbitrary SQL commands via the id parameter.
by nuclear
Cant Find A Gaming CMS (CFAGCMS) 1.0 Beta 1 - SQL Injection
SQL injection vulnerability in right.php in Cant Find A Gaming CMS (CFAGCMS) 1.0 Beta 1 allows remote attackers to execute arbitrary SQL commands via the title parameter.
by ZoRLu
CadeNix - SQL Injection via cid Parameter
SQL injection vulnerability in index.php in CadeNix allows remote attackers to execute arbitrary SQL commands via the cid parameter.
by HaCkeR_EgY
By Source