Text Exploits
31,394 exploits tracked across all sources.
AJ Square AJ Auction Pro Platinum Skin #1 - Unauthenticated Authentication Bypass via Direct Request
AJ Square AJ Auction Pro Platinum Skin #1 sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass authentication via a direct request to admin/user.php.
by G4N0K
AJ Square AJ Article - Unauthenticated Administrator Access via Direct Request
AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to (1) user.php, (2) articles.php, (3) articlesuspend.php, (4) site.php, (5) statistics.php, (6) mail.php, (7) category.php, (8) subcategory.php, (9) changepassword.php, (10) polling.php, and (11) logo.php in admin/.
by G4N0K
IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection
by Francesco Bianchino
Yigit Aybuga Dizi Portali - SQL Injection via film Parameter
SQL injection vulnerability in film.asp in Yigit Aybuga Dizi Portali allows remote attackers to execute arbitrary SQL commands via the film parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Kaan KAMIS
Openfire < 3.6.0a - Cross-Site Scripting via Admin Console Login URL Parameter
Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter.
by Andreas Kurtz
Openfire < 3.6.0a - SQL Injection via SIP Plugin CallLogDAO Type Parameter
SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp.
by Andreas Kurtz
Openfire < 3.6.0a - Unauthenticated Path Traversal via Admin Console URI
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
by Andreas Kurtz
Windows Server 2003 and Vista - Denial of Service via UnhookWindowsHookEx Race Condition
Race condition in Microsoft Windows Server 2003 and Vista allows local users to cause a denial of service (crash or hang) via a multi-threaded application that makes many calls to UnhookWindowsHookEx while certain other desktop activity is occurring.
by killprog.org
ZeeMatri 3.0 - SQL Injection via bannerclick.php adid Parameter
SQL injection vulnerability in bannerclick.php in ZeeMatri 3.0 allows remote attackers to execute arbitrary SQL commands via the adid parameter.
by Hussin X
x10 Automatic Mp3 Search Engine Script 1.5.5-1.6 - Unauthenticated Arbitrary File Read via Encoded URL Parameter
download.php in X10media x10 Automatic Mp3 Search Engine Script 1.5.5 through 1.6 allows remote attackers to read arbitrary files via an encoded url parameter, as demonstrated by obtaining database credentials from includes/constants.php.
by THUNDER
ExoPHPDesk 1.2 Final - SQL Injection via Username Parameter
SQL injection vulnerability in admin.php in Exocrew ExoPHPDesk 1.2 Final allows remote attackers to execute arbitrary SQL commands via the username (user parameter).
by Cyber-Zone
Openfire < 3.6.0a - Open Redirect via login.jsp url Parameter
Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
by Andreas Kurtz
MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure
by Xia Shing Zee
Zeeproperty 1.0 - Authenticated Arbitrary File Upload via Profile Photo
Unrestricted file upload vulnerability in viewprofile.php in Zeeways ZEEPROPERTY 1.0 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a photo in a profile modification, then accessing a related file via a direct request to the file in companylogo/.
by ZoRLu
V3 Chat Live Support 3.0.4 - Auth Bypass
admin/index.php in V3 Chat Live Support 3.0.4 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.
by Cyber-Zone
Zeeways ZEEJOBSITE 2.0 - Authenticated Arbitrary File Upload via Profile Photo
Unrestricted file upload vulnerability in editresume_next.php in Zeeways ZEEJOBSITE 2.0 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a photo in a profile edit action, then accessing the file via a direct request to jobseekers/logos/.
by ZoRLu
Zeeways SHAADICLONE 2.0 - Unauthenticated Authentication Bypass via Direct Admin Page Access
Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.
by G4N0K
Zeeways SHAADICLONE 2.0 - Unauthenticated Authentication Bypass via Direct Admin Page Access
Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.
by G4N0K
Zeeways PhotoVideoTube < 1.1 - Unauthenticated Authentication Bypass via Direct Admin Request
Zeeways PhotoVideoTube 1.1 and earlier allows remote attackers to bypass authentication and perform administrative tasks via a direct request to admin/home.php.
by Stack
Zeeproperty 1.0 - Cross-Site Scripting via propid Parameter
Cross-site scripting (XSS) vulnerability in view_prop_details.php in Zeeways ZEEPROPERTY 1.0 allows remote attackers to inject arbitrary web script or HTML via the propid parameter.
by ZoRLu
V3 Chat - Profiles/Dating Script 3.0.2 - Auth Bypass
V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.
by Stack
CVSS 9.8
V3 Chat - Profiles/Dating Script 3.0.2 - SQL Injection
SQL injection vulnerability in V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.
by d3b4g
V3 Chat - Profiles/Dating Script 3.0.2 - Auth Bypass
V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.
by Cyber-Zone
CVSS 9.8
Mole Group Airline Ticket Script - Authentication Bypass
by Cyber-Zone
Indiscripts Enthusiast <3.1.4 - RCE
PHP remote file inclusion vulnerability in show_joined.php in Indiscripts Enthusiast 3.1.4, and possibly earlier, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: the researcher also points out the analogous directory traversal issue.
by BugReport.IR
By Source