Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2008-7098 EXPLOITDB text VERIFIED
Qsoft K-Rate Premium - Cross-Site Scripting via Blog Title/Text, Gallery Description, Forum Message, or Vote Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Qsoft K-Rate Premium allow remote attackers to inject arbitrary web script or HTML via the blog, possibly the (1) Title and (2) Text fields; (3) the gallery, possibly the Description field in Your Pictures; (4) the forum, possibly the Your Message field when posting a new thread; or (5) the vote parameter in a view action to index.php. NOTE: some of these details are obtained from third party information.
by Corwin
CVE-2008-7097 EXPLOITDB text VERIFIED
Qsoft K-Rate Premium - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in Qsoft K-Rate Premium allow remote attackers to execute arbitrary SQL commands via (1) the $id variable in admin/includes/dele_cpac.php, (2) $ord[order_id] variable in payments/payment_received.php, (3) $id variable in includes/functions.php, and (4) unspecified variables in modules/chat.php, as demonstrated via the (a) show parameter in an online action to index.php; (b) PATH_INTO to the room/ handler; (c) image and (d) id parameters in a vote action to index.php; (e) PATH_INFO to the blog/ handler; and (f) id parameter in a blog_edit action to index.php.
by Corwin
CVE-2008-3925 EXPLOITDB text VERIFIED
Content Management Made Easy (CMME) 1.12 - Cross-Site Request Forgery via Admin Logout Action
Cross-site request forgery (CSRF) vulnerability in admin.php in Content Management Made Easy (CMME) 1.12 allows remote attackers to trigger the logout of an administrative user via a logout action.
by SirGod
CVE-2008-3924 EXPLOITDB text VERIFIED
CMME <1.12 - Info Disclosure
The "Make a backup" functionality in Content Management Made Easy (CMME) 1.12 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover (1) account names and (2) password hashes via a direct request for (a) backup/cmme_data.zip or (b) backup/cmme_cmme.zip. NOTE: it was later reported that vector a also affects CMME 1.19.
by SirGod
CVE-2008-3923 EXPLOITDB text VERIFIED
CMME 1.12 - Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in statistics.php in Content Management Made Easy (CMME) 1.12 allow remote attackers to inject arbitrary web script or HTML via the (1) page and (2) year parameters in an hstat_year action.
by SirGod
CVE-2008-3848 EXPLOITDB text VERIFIED
Z-Breaknews 2.0 - SQL Injection via id Parameter
SQL injection vulnerability in single.php in Z-Breaknews 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by cOndemned
CVE-2008-3859 EXPLOITDB text VERIFIED
Davlin Thickbox Gallery 2 - Info Disclosure
Davlin Thickbox Gallery 2 allows remote attackers to obtain the administrative username and MD5 password hash via a direct request to conf/admins.php.
by SirGod
CVE-2008-4056 EXPLOITDB text VERIFIED
matterdaddy_market 1.1 - Cross-Site Scripting via msg Parameter
Cross-site scripting (XSS) vulnerability in admin/login.php in Matterdaddy Market 1.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Sam Georgiou
CVE-2008-4054 EXPLOITDB text VERIFIED
Kolifa Download Script 1.2 - SQL Injection via id Parameter
SQL injection vulnerability in indir.php in Kolifa.net Download Script 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Kacak
CVE-2008-7099 EXPLOITDB text VERIFIED
Qsoft K-Rate Premium - Remote Code Execution via Manage Templates Feature
Unspecified vulnerability in the Manage Templates feature in Qsoft K-Rate Premium allows remote attackers to execute arbitrary PHP code via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Corwin
CVE-2008-7114 EXPLOITDB text VERIFIED
iFdate < 2.0.3 - SQL Injection via Name Field
SQL injection vulnerability in members_search.php in iFusion Services iFdate 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the name field.
by ~!Dok_tOR!~
EIP-2026-107662 EXPLOITDB text VERIFIED
HPSystem Management Homepage (SMH) 2.1.12 - 'message.php' Cross-Site Scripting
by Luca Carettoni
CVE-2008-3926 EXPLOITDB text VERIFIED
CMME 1.12 - Path Traversal
Multiple directory traversal vulnerabilities in Content Management Made Easy (CMME) 1.12 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the env parameter in a weblog action to index.php, or (2) create arbitrary directories via a .. (dot dot) in the env parameter in a login action to admin.php.
by SirGod
CVE-2008-4051 EXPLOITDB text VERIFIED
Smart Survey 1.0 - Cross-Site Scripting via sid Parameter
Cross-site scripting (XSS) vulnerability in surveyresults.asp in Smart Survey 1.0 allows remote attackers to inject arbitrary web script or HTML via the sid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by Bug Researchers Group
EIP-2026-100299 EXPLOITDB text VERIFIED
Educe ASP Search Engine 1.5.6 - 'search.asp' Cross-Site Scripting
by JoCk3r
CVE-2008-7054 EXPLOITDB text VERIFIED
ezContents 2.0.3 - Path Traversal via Multiple Parameters
Multiple directory traversal vulnerabilities in ezContents 2.0.3 allow remote attackers to include and execute arbitrary local files via the (1) gsLanguage and (2) language_home parameters to modules/diary/showdiary.php; (3) admin_home, (4) gsLanguage, and (5) language_home parameters to modules/diary/showdiarydetail.php; (6) gsLanguage and (7) language_home parameters to modules/diary/submit_diary.php; (8) admin_home parameter to modules/news/news_summary.php; (9) nLink, (10) gsLanguage, and (11) language_home parameters to modules/news/inlinenews.php; and possibly other unspecified vectors in (12) diary/showeventlist.php, (13) gallery/showgallery.php, (14) reviews/showreviews.php, (15) gallery/showgallerydetails.php, (16) reviews/showreviewsdetails.php, (17) news/shownewsdetails.php, (18) gallery/submit_gallery.php, (19) guestbook/submit_guestbook.php, (20) reviews/submit_reviews.php, (21) news/submit_news.php, (22) diary/inlineeventlist.php, and (23) news/archivednews_summary.php in modules/, related to the lack of directory traversal protection in modules/moduleSec.php.
by DSecRG
EIP-2026-113248 EXPLOITDB text VERIFIED
WebBoard 2.0 - Arbitrary SQL Question/Anwser Delete
by t0pP8uZz
CVE-2008-3787 EXPLOITDB text VERIFIED
Web Directory Script <2.0 - SQL Injection
SQL injection vulnerability in listing_view.php in Web Directory Script 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the name parameter.
by ~!Dok_tOR!~
CVE-2008-3851 EXPLOITDB text VERIFIED
Pluck CMS 4.5.2 - Unauthenticated Path Traversal via Blogpost, Cat, and File Parameters
Multiple directory traversal vulnerabilities in Pluck CMS 4.5.2 on Windows allow remote attackers to include and execute arbitrary local files via a ..\ (dot dot backslash) in the (1) blogpost, (2) cat, and (3) file parameters to data/inc/themes/predefined_variables.php, as reachable through index.php; and the (4) blogpost and (5) cat parameters to data/inc/blog_include_react.php, as reachable through index.php. NOTE: the issue involving vectors 1 through 3 reportedly exists because of an incomplete fix for CVE-2008-3194.
by DSecRG
EIP-2026-110906 EXPLOITDB text VERIFIED
PHP-Ultimate WebBoard 2.0 - 'admindel.php' Multiple Input Validation Vulnerabilities
by t0pP8uZz
CVE-2008-3783 EXPLOITDB text VERIFIED
Matterdaddy Market 1.1 - SQL Injection
Multiple SQL injection vulnerabilities in index.php in Matterdaddy Market 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) type parameters.
by ~!Dok_tOR!~
CVE-2008-7055 EXPLOITDB text VERIFIED
ezContents 2.0.3 - Remote File Inclusion via Doubled Dot Dot Slash in Link Parameter
module.php in ezContents 2.0.3 allows remote attackers to bypass the directory traversal protection mechanism to include and execute arbitrary local files via "....//" (doubled dot dot slash) sequences in the link parameter, which is not properly filtered using the str_replace function.
by DSecRG
CVE-2008-3845 EXPLOITDB text VERIFIED
Crafty Syntax Live Help <2.14.6 - SQL Injection
Multiple SQL injection vulnerabilities in Crafty Syntax Live Help (CSLH) 2.14.6 and earlier allow remote attackers to execute arbitrary SQL commands via the department parameter to (1) is_xmlhttp.php and (2) is_flush.php.
by GulfTech Security
CVE-2008-3784 EXPLOITDB text VERIFIED
BtiTracker <1.4.7, xBtiTracker <2.0.542 - SQL Injection
SQL injection vulnerability in scrape.php in BtiTracker 1.4.7 and earlier and xBtiTracker 2.0.542 and earlier allows remote attackers to execute arbitrary SQL commands via the info_hash parameter.
by InATeam
CVE-2008-4053 EXPLOITDB text VERIFIED
Bluemoon PopnupBLOG <3.20-3.30 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in index.php in the Bluemoon PopnupBLOG module 3.20 and 3.30 for XOOPS allow remote attackers to inject arbitrary web script or HTML via the (1) param, (2) cat_id, and (3) view parameters.
by Lostmon