Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2008-6097 EXPLOITDB text VERIFIED
wikyblog < 1.7.1 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in WikyBlog before 1.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to index.php/Special/Main/keywordSearch, (2) revNum parameter to index.php/Edit/Main/Home, (3) to parameter to index.php/Special/Main/WhatLinksHere, (4) user parameter to index.php/Special/Main/UserEdits, and (5) the PATH_INFO to index.php.
by Omer Singer
CVE-2008-6099 EXPLOITDB text VERIFIED
RPortal < 1.1 - Remote Code Execution via File Op Parameter
PHP remote file inclusion vulnerability in index.php in RPortal 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the file_op parameter.
by Kad
CVE-2008-6092 EXPLOITDB text VERIFIED
phpscripts Ranking Script - Auth Bypass
phpscripts Ranking Script allows remote attackers to bypass authentication and gain administrative access by sending an admin=ja cookie.
by Crackers_Child
CVE-2008-6093 EXPLOITDB text VERIFIED
Noname CMS 1.0 - SQL Injection via file_id or kategorie Parameter
SQL injection vulnerability in index.php in Noname CMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) file_id parameter in a detailansicht action and the (2) kategorie parameter in a kategorien action.
by ~!Dok_tOR!~
CVE-2008-4455 EXPLOITDB text VERIFIED
MySQL Quick Admin 1.5.5 - Path Traversal via Language Cookie
Directory traversal vulnerability in index.php in EKINdesigns MySQL Quick Admin 1.5.5 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the language cookie.
by JosS
CVE-2008-6102 EXPLOITDB text VERIFIED
Link Trader Script - SQL Injection via lnkid Parameter
SQL injection vulnerability in ratelink.php in Link Trader Script allows remote attackers to execute arbitrary SQL commands via the lnkid parameter.
by Hussin X
CVE-2008-4447 EXPLOITDB text VERIFIED
Positive Software H-Sphere WebShell 4.3.10 - Cross-Site Scripting via actions.php Parameters
Cross-site scripting (XSS) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to inject arbitrary web script or HTML via (1) the fn parameter during a dload action, (2) the mask parameter during a search action, and (3) the tab parameter during a sysinfo action.
by C1c4Tr1Z
CVE-2008-6100 EXPLOITDB text VERIFIED
Discussion Forums 2k 3.3 - SQL Injection
Multiple SQL injection vulnerabilities in Discussion Forums 2k 3.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) CatID parameter to (a) RSS1.php and (b) RSS2.php in misc/; and the (2) SubID parameter to (c) misc/RSS5.php.
by ~!Dok_tOR!~
CVE-2008-4483 EXPLOITDB text VERIFIED
Crux Gallery < 1.32 - Remote File Inclusion via Theme Parameter
Directory traversal vulnerability in index.php in Crux Gallery 1.32 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter.
by StAkeR
CVE-2008-6091 EXPLOITDB text VERIFIED
BMForum 5.6 - SQL Injection via Tagname Parameter
SQL injection vulnerability in plugins.php in BMForum 5.6, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tagname parameter.
by ~!Dok_tOR!~
CVE-2008-6104 EXPLOITDB text VERIFIED
A4Desk PHP Event Calendar - SQL Injection
SQL injection vulnerability in A4Desk PHP Event Calendar allows remote attackers to execute arbitrary SQL commands via the eventid parameter to admin/index.php.
by r45c4l
CVE-2008-6094 EXPLOITDB text VERIFIED
Celoxis - Stored Cross-Site Scripting via ni.smessage Parameter
Cross-site scripting (XSS) vulnerability in user.do in Celoxis Technologies Celoxis allows remote attackers to inject arbitrary web script or HTML via the ni.smessage parameter.
by teuquooch1seero
CVE-2008-6010 EXPLOITDB text VERIFIED
SG Real Estate Portal 2.0 - Path Traversal
Multiple directory traversal vulnerabilities in SG Real Estate Portal 2.0 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) mod, (2) page, or (3) lang parameter to index.php; or the (4) action or (5) folder parameter in a security request to admin/index.php.
by SirGod
CVE-2008-6009 EXPLOITDB text VERIFIED
SG Real Estate Portal 2.0 - Auth Bypass
SG Real Estate Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the Auth cookie to 1.
by Stack
CVE-2008-6011 EXPLOITDB text VERIFIED
SG Real Estate Portal 2.0 - SQL Injection
SQL injection vulnerability in index.php in SG Real Estate Portal 2.0 allows remote attackers to execute arbitrary SQL commands via the page_id parameter.
by SirGod
CVE-2008-6014 EXPLOITDB text VERIFIED
Rianxosencabos CMS 0.9 - SQL Injection
SQL injection vulnerability in scripts/links.php in Rianxosencabos CMS 0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by ka0x
CVE-2008-6012 EXPLOITDB text VERIFIED
Pritlog < 0.4 - Unauthenticated Path Traversal via Filename Parameter
Directory traversal vulnerability in index.php in Pritlog 0.4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a viewEntry action.
by Pepelux
CVE-2008-6006 EXPLOITDB text VERIFIED
Micronation Banking System <1.5.0 - RCE
Multiple PHP remote file inclusion vulnerabilities in Micronation Banking System (minba) 1.5.0 allow remote attackers to execute arbitrary PHP code via a URL in the minsoft_path parameter to (1) utdb_access.php and (2) utgn_message.php in utility/.
by DaRkLiFe
CVE-2008-4743 EXPLOITDB text VERIFIED
QuidaScript FAQ Management Script - SQL Injection via catid Parameter
SQL injection vulnerability in index.php in QuidaScript FAQ Management Script allows remote attackers to execute arbitrary SQL commands via the catid parameter.
by Hussin X
CVE-2008-7026 EXPLOITDB text VERIFIED
efront < 3.5.1 - Unauthenticated Arbitrary File Upload and Remote Code Execution via Avatar Upload
Unrestricted file upload vulnerability in filesystem3.class.php in eFront 3.5.1 build 2710 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension as an avatar, then accessing it via a direct request to the file in (1) student/avatars/ or (2) professor/avatars/.
by Pepelux
CVE-2008-6007 EXPLOITDB text VERIFIED
QuidaScript BookMarks Favourites Script - SQL Injection
SQL injection vulnerability in view_group.php in QuidaScript BookMarks Favourites Script (APB) allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Hussin X
CVE-2008-6103 EXPLOITDB text VERIFIED
a4desk Flash Event Calendar - Remote Code Execution via index.php v Parameter
PHP remote file inclusion vulnerability in index.php in A4Desk Event Calendar, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the v parameter.
by Lo$er
CVE-2008-4456 EXPLOITDB text VERIFIED
MySQL - Cross-Site Scripting via HTML Output with --html Option
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
by Thomas Henlich
CVE-2008-4405 EXPLOITDB text VERIFIED
Xen 3.0.3 - Denial of Service via Xenstore Directory Tree Write Access
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.
by Pascal Bouchareine
CVE-2008-4671 EXPLOITDB text VERIFIED
WordPress MU < 2.6 - Cross-Site Scripting via s or ip_address Parameter
Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters.
by Juan Galiana Lara