Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2008-4739 EXPLOITDB text VERIFIED
PlugSpace 0.1 - Path Traversal via Navi Parameter
Directory traversal vulnerability in index.php in PlugSpace 0.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the navi parameter.
by dun
CVE-2008-4716 EXPLOITDB text VERIFIED
PHP-Lance 1.52 - SQL Injection via show.php catid Parameter
SQL injection vulnerability in show.php in BitmixSoft PHP-Lance 1.52 allows remote attackers to execute arbitrary SQL commands via the catid parameter.
by InjEctOr5
CVE-2008-4738 EXPLOITDB text VERIFIED
MyCard 1.0.2 - SQL Injection via Gallery.php ID Parameter
SQL injection vulnerability in gallery.php in MyCard 1.0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by r45c4l
EIP-2026-109403 EXPLOITDB text VERIFIED
Membership Script - Multiple Cross-Site Scripting Vulnerabilities
by Ghost Hacker
CVE-2008-4672 EXPLOITDB text VERIFIED
Lyrics Script - Cross-Site Scripting via Search Results k Parameter
Cross-site scripting (XSS) vulnerability in search_results.php in buymyscripts Lyrics Script allows remote attackers to inject arbitrary web script or HTML via the k parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Ghost Hacker
CVE-2008-4712 EXPLOITDB text VERIFIED
LnBlog < 0.9.0 - Path Traversal via Plugin Parameter
Directory traversal vulnerability in pages/showblog.php in LnBlog 0.9.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the plugin parameter.
by dun
CVE-2008-4711 EXPLOITDB text VERIFIED
Joovili < 3.0 - SQL Injection via id Parameter
SQL injection vulnerability in Joovili 3.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.blog.php, (2) view.event.php, (3) view.group.php, (4) view.music.php, (5) view.picture.php, and (6) view.video.php.
by ~!Dok_tOR!~
CVE-2008-5075 EXPLOITDB text VERIFIED
E-Uploader Pro 1.0 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in E-Uploader Pro 1.0 (aka Uploader PRO), when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) img.php, (b) file.php, (c) mail.php, (d) thumb.php, (e) zip.php, and (f) zipit.php, and (2) the view parameter to (g) browser.php.
by ~!Dok_tOR!~
CVE-2008-4735 EXPLOITDB text VERIFIED
CoAST 0.95 - Remote Code Execution via sections_file Parameter
PHP remote file inclusion vulnerability in header.php in Concord Asset, Software, and Ticket system (CoAST) 0.95 allows remote attackers to execute arbitrary PHP code via a URL in the sections_file parameter.
by DaRkLiFe
CVE-2008-4670 EXPLOITDB text VERIFIED
Ed Pudol Clickbank Portal - Cross-Site Scripting via Search Box
Cross-site scripting (XSS) vulnerability in search.php in Ed Pudol Clickbank Portal allows remote attackers to inject arbitrary web script or HTML via the search box. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Ghost Hacker
CVE-2008-4366 EXPLOITDB text VERIFIED
Camera Life 2.6.2b4 - Authenticated Arbitrary File Upload via Image Upload Component
Unrestricted file upload vulnerability in the image upload component in Camera Life 2.6.2b4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a user directory under images/photos/upload.
by Mi4night
EIP-2026-105271 EXPLOITDB text VERIFIED
ASPapp Knowledge Base - 'CatId' SQL Injection (2)
by Crackers_Child
CVE-2008-4737 EXPLOITDB text VERIFIED
WhoDomLite 1.1.3 - Cross-Site Scripting via dom Parameter
Cross-site scripting (XSS) vulnerability in wholite.cgi in WhoDomLite 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the dom parameter.
by Ghost Hacker
CVE-2008-7025 EXPLOITDB text VERIFIED
Check Point ZoneAlarm 8.0.020.000 - Denial of Service via Crafted HTTP Proxy Response
TrueVector in Check Point ZoneAlarm 8.0.020.000, with vsmon.exe running, allows remote HTTP proxies to cause a denial of service (crash) and disable the HIDS module via a crafted response.
by quakerdoomer
CVE-2008-4327 EXPLOITDB text VERIFIED
Windows XP SP3 - Denial of Service via Crafted .ico File
gdiplus.dll in GDI+ in Microsoft Windows XP SP3 does not properly handle crafted .ico files, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a certain crash.ico file on a web site, and allows user-assisted attackers to cause a denial of service (divide-by-zero error and persistent application crash) via this crash.ico file on the desktop, a different vulnerability than CVE-2007-2237.
by laurent gaffié
CVE-2008-4666 EXPLOITDB text VERIFIED
Ultimate Webboard 3.00 - SQL Injection via Category Parameter
SQL injection vulnerability in webboard.php in Ultimate Webboard 3.00 allows remote attackers to execute arbitrary SQL commands via the Category parameter.
by CWH Underground
CVE-2008-7024 EXPLOITDB text VERIFIED
Arz Development The Gemini Portal <= 4.7 - Unauthenticated Authentication Bypass via Cookie Manipulation
admin.php in Arz Development The Gemini Portal 4.7 and earlier allows remote attackers to bypass authentication and gain administrator privileges by setting the user cookie to "admin" and setting the name parameter to "users."
by Pepelux
CVE-2008-4720 EXPLOITDB text VERIFIED
The Gemini Portal 4.7 - Remote Code Execution via Lang Parameter File Inclusion
Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category.php.
by ZoRLu
CVE-2008-4736 EXPLOITDB text VERIFIED
RPG.Board <= 0.8 Beta2 - SQL Injection via showtopic Parameter
SQL injection vulnerability in index.php in RPG.Board 0.8 Beta2 and earlier allows remote attackers to execute arbitrary SQL commands via the showtopic parameter.
by 0x90
CVE-2008-5069 EXPLOITDB text VERIFIED
Panuwat PromoteWeb MySQL - SQL Injection via go.php id Parameter
SQL injection vulnerability in go.php in Panuwat PromoteWeb MySQL, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
by CWH Underground
CVE-2008-4719 EXPLOITDB text VERIFIED
openengine 2.0 beta2 - Remote Code Execution via oe_classpath Parameter
PHP remote file inclusion vulnerability in cms/classes/openengine/filepool.php in openEngine 2.0 beta2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the oe_classpath parameter, a different vector than CVE-2008-4329.
by Crackers_Child
CVE-2008-7027 EXPLOITDB text VERIFIED
Libra File Manager <= 1.18 - Unauthenticated Authentication Bypass via Cookie Manipulation
Libra File Manager 1.18 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user and pass cookies to 1.
by Stack
CVE-2008-7019 EXPLOITDB text VERIFIED
esqlanelapse 2.6.1-2.6.2 - Unauthenticated Authentication Bypass via Cookie Manipulation
Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authentication and gain privileges via modified (1) enombre and (2) euri cookies.
by ZoRLu
CVE-2008-4484 EXPLOITDB text VERIFIED
Crux Gallery <= 1.32 - Unauthenticated Privilege Escalation via Name Parameter
main.php in Crux Gallery 1.32 and earlier allows remote attackers to gain administrative access by setting the name parameter to "users," as demonstrated via index.php.
by Pepelux
EIP-2026-105395 EXPLOITDB text VERIFIED
barcodegen 2.0.0 - 'class_dir' Remote File Inclusion
by Br0k3n H34rT