Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2008-2753 EXPLOITDB text VERIFIED
Pooya Site Builder 6.0 - SQL Injection via xslIdn or part Parameter
Multiple SQL injection vulnerabilities in Pooya Site Builder (PSB) 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) xslIdn parameter to (a) utils/getXsl.aspx, and the (2) part parameter to (b) getXml.aspx and (c) getXls.aspx in utils/.
by BugReport.IR
CVE-2008-2994 EXPLOITDB text VERIFIED
PHPEasyData 1.5.4 - Cross-Site Scripting via Annuaire Parameter
Multiple cross-site scripting (XSS) vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to inject arbitrary web script or HTML via the (1) annuaire parameter to (a) last_records.php and (b) annuaire.php and the (2) by and (3) cat_id parameters to annuaire.php.
by Sylvain THUAL
CVE-2008-2995 EXPLOITDB text VERIFIED
PHPEasyData 1.5.4 - SQL Injection via Annuaire Parameter or Admin Login Username
Multiple SQL injection vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to execute arbitrary SQL commands via (1) the annuaire parameter to annuaire.php or (2) the username field in admin/login.php.
by Sylvain THUAL
CVE-2008-2994 EXPLOITDB text VERIFIED
PHPEasyData 1.5.4 - Cross-Site Scripting via Annuaire Parameter
Multiple cross-site scripting (XSS) vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to inject arbitrary web script or HTML via the (1) annuaire parameter to (a) last_records.php and (b) annuaire.php and the (2) by and (3) cat_id parameters to annuaire.php.
by Sylvain THUAL
CVE-2008-2995 EXPLOITDB text VERIFIED
PHPEasyData 1.5.4 - SQL Injection via Annuaire Parameter or Admin Login Username
Multiple SQL injection vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to execute arbitrary SQL commands via (1) the annuaire parameter to annuaire.php or (2) the username field in admin/login.php.
by Sylvain THUAL
CVE-2008-2770 EXPLOITDB text VERIFIED
MycroCMS 0.5 - SQL Injection via Entry ID Parameter
SQL injection vulnerability in index.php in MycroCMS 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the entry_id parameter.
by CWH Underground
EIP-2026-107950 EXPLOITDB text VERIFIED
IPTBB 0.5.6 - Arbitrary Add Admin
by CWH Underground
CVE-2008-2993 EXPLOITDB text VERIFIED
FOG Forum 0.8.1 - Path Traversal and Arbitrary File Execution via fog_lang and fog_skin Parameters
Multiple directory traversal vulnerabilities in index.php in FOG Forum 0.8.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) fog_lang and (2) fog_skin parameters, probably related to libs/required/share.inc; and possibly the (3) fog_pseudo, (4) fog_posted, (5) fog_password, and (6) fog_cook parameters.
by CWH Underground
CVE-2008-6736 EXPLOITDB text VERIFIED
Flat Calendar 1.1 - Unauthenticated Event Addition and Deletion via Admin Functions
Flat Calendar 1.1 does not properly restrict access to administrative functions, which allows remote attackers to (1) add new events via calAdd.php, as reachable from admin/add.php, or (2) delete events via admin/deleteEvent.php. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.
by Crackers_Child
CVE-2008-2754 EXPLOITDB text VERIFIED
eFiction 3.0 and 3.4.3 - SQL Injection via toplists.php list Parameter
SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter.
by Mr.SQL
CVE-2008-5273 EXPLOITDB text VERIFIED
Todd Woolums ASP News Mgmt 2.2 - SQL Injection
SQL injection vulnerability in viewnews.asp in Todd Woolums ASP News Management 2.2 allows remote attackers to execute arbitrary SQL commands via the newsID parameter.
by Bl@ckbe@rD
CVE-2008-5271 EXPLOITDB text VERIFIED
SyndeoCMS 2.6.0 - Cross-Site Scripting via Section Parameter
Cross-site scripting (XSS) vulnerability in index.php in Fred Stuurman SyndeoCMS 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
by CWH Underground
CVE-2007-3889 EXPLOITDB text VERIFIED
insanely_simple_blog < 0.5 - SQL Injection via current_subsection Parameter
Multiple SQL injection vulnerabilities in Insanely Simple Blog 0.5 and earlier allow remote attackers to execute arbitrary SQL commands via the current_subsection parameter to index.php and other unspecified vectors.
by Unohope
CVE-2008-2668 EXPLOITDB text VERIFIED
yBlog 0.2.2.2 - Cross-Site Scripting via q Parameter in search.php or n Parameter in user.php or uss.php
Multiple cross-site scripting (XSS) vulnerabilities in yBlog 0.2.2.2 allow remote attackers to inject arbitrary web script or HTML via (1) the q parameter to search.php, or the n parameter to (2) user.php or (3) uss.php.
by Unohope
CVE-2008-5270 EXPLOITDB text VERIFIED
Yuhhu Superstar 2008 - SQL Injection
SQL injection vulnerability in view.topics.php in Yuhhu Superstar 2008 allows remote attackers to execute arbitrary SQL commands via the board parameter.
by RMx
CVE-2008-2669 EXPLOITDB text VERIFIED
yBlog 0.2.2.2 - SQL Injection via Search or User Parameters
Multiple SQL injection vulnerabilities in yBlog 0.2.2.2 allow remote attackers to execute arbitrary SQL commands via (1) the q parameter to search.php, or the n parameter to (2) user.php or (3) uss.php.
by Unohope
CVE-2008-5265 EXPLOITDB text VERIFIED
TNT Forum 0.9.4 - Remote File Inclusion via Modulo Parameter
Directory traversal vulnerability in index.php in TNT Forum 0.9.4, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the modulo parameter.
by CWH Underground
CVE-2008-5272 EXPLOITDB text VERIFIED
SyndeoCMS 2.6.0 - Authenticated Path Traversal via Template Parameter
Multiple directory traversal vulnerabilities in Fred Stuurman SyndeoCMS 2.6.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the template parameter to (1) starnet/editors/fckeditor/studenteditor.php; (2) starnet/modules/sn_news/edit_content.php, reached through starnet/index.php; and (3) starnet/modules/sn_newsletter/edit_content.php, reached through starnet/index.php.
by CWH Underground
EIP-2026-109960 EXPLOITDB text VERIFIED
Noticia Portal - 'detalle_noticia.php' SQL Injection
by t@nzo0n
CVE-2008-2670 EXPLOITDB text VERIFIED
Insanelysimple2 Isblog - SQL Injection
Multiple SQL injection vulnerabilities in index.php in Insanely Simple Blog 0.5 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter, or (2) the term parameter in a search action. NOTE: the current_subsection parameter is already covered by CVE-2007-3889.
by Unohope
EIP-2026-107640 EXPLOITDB text VERIFIED
Hot Links SQL-PHP - Multiple Cross-Site Scripting Vulnerabilities
by sl4xUz
CVE-2008-5267 EXPLOITDB text VERIFIED
Experts 1.0.0 - SQL Injection via Question ID Parameter
SQL injection vulnerability in answer.php in Experts 1.0.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the question_id parameter.
by CWH Underground
CVE-2008-2672 EXPLOITDB text VERIFIED
erfurtwiki < r1.02b - Path Traversal via ewiki_id, ewiki_action, or id Parameter
Multiple directory traversal vulnerabilities in ErfurtWiki R1.02b and earlier, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) ewiki_id and (2) ewiki_action parameters to fragments/css.php, and possibly the (3) id parameter to the default URI. NOTE: the default URI is site-specific but often performs an include_once of ewiki.php.
by Unohope
CVE-2008-2671 EXPLOITDB text VERIFIED
DCFM Blog 0.9.4 - SQL Injection via Comments id Parameter
SQL injection vulnerability in comments.php in DCFM Blog 0.9.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Unohope
CVE-2008-5266 EXPLOITDB text VERIFIED
Sun Java System Application Server 9.1_01/02 Cross-Site Scripting via httpListenerEdit.jsf
Cross-site scripting (XSS) vulnerability in configuration/httpListenerEdit.jsf in the GlassFish 2 UR2 b04 webadmin interface in Sun Java System Application Server 9.1_01 build b09d-fcs and 9.1_02 build b04-fcs allows remote attackers to inject arbitrary web script or HTML via the name parameter, a different vector than CVE-2008-2751.
by Eduardo Neves