Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2008-2188 EXPLOITDB text VERIFIED
EJ3 BlackBook 1.0 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in EJ3 BlackBook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) bookCopyright and (2) ver parameters to (a) footer.php, and the (3) bookName, (4) bookMetaTags, and (5) estiloCSS parameters to (b) header.php.
by Khashayar Fereidani
CVE-2008-2188 EXPLOITDB text VERIFIED
EJ3 BlackBook 1.0 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in EJ3 BlackBook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) bookCopyright and (2) ver parameters to (a) footer.php, and the (3) bookName, (4) bookMetaTags, and (5) estiloCSS parameters to (b) header.php.
by Khashayar Fereidani
CVE-2008-2186 EXPLOITDB text VERIFIED
Cilekyazilim Chicomas - XSS
Cross-site scripting (XSS) vulnerability in index.php in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to inject arbitrary web script or HTML via the q parameter.
by Hadi Kiamarsi
CVE-2008-2118 EXPLOITDB text VERIFIED
Project Alumni 1.0.9 - SQL Injection via id Parameter
SQL injection vulnerability in info.php in Project Alumni 1.0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by hadihadi
CVE-2008-2117 EXPLOITDB text VERIFIED
Project Alumni 1.0.9 - Cross-Site Scripting via News Page Year Parameter
Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126.
by hadihadi
CVE-2008-2106 EXPLOITDB text VERIFIED
Call of Duty 4 < 1.5 - Authenticated Denial of Service via Type 7 Stats Packet
Call of Duty 4 (CoD4) 1.5 and earlier allows remote authenticated users to cause a denial of service (crash) via a type 7 stats packet, which triggers a memcpy with a negative value.
by Luigi Auriemma
CVE-2008-2072 EXPLOITDB text VERIFIED
Virtual Design Studio vlbook 1.21 - Cross-Site Scripting via l Parameter
Cross-site scripting (XSS) vulnerability in index.php in Virtual Design Studio vlbook 1.21 allows remote attackers to inject arbitrary web script or HTML via the l parameter, a different vector than CVE-2006-3260.
by Khashayar Fereidani
CVE-2010-5063 EXPLOITDB text VERIFIED
Virtual War <1.6.1 R2 - SQL Injection
SQL injection vulnerability in article.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the ratearticleselect parameter.
by Darren McDonald
CVE-2008-2073 EXPLOITDB text VERIFIED
vlbook 1.21 - Path Traversal via l Parameter
Directory traversal vulnerability in include/global.inc.php in Virtual Design Studio vlbook 1.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the l parameter.
by Khashayar Fereidani
CVE-2008-2187 EXPLOITDB text VERIFIED
Mjguest 6.7 GT Rev.01 - Cross-Site Scripting via Level Parameter
Cross-site scripting (XSS) vulnerability in mjguest.php in Mjguest 6.7 GT Rev.01 allows remote attackers to inject arbitrary web script or HTML via the level parameter in a redirect action, possibly involving interface/redirect.htm.php.
by Khashayar Fereidani
CVE-2008-2076 EXPLOITDB text VERIFIED
ActualScripts ActualAnalyzer Lite 2.78 - Remote File Inclusion via Admin.php Style Parameter
Directory traversal vulnerability in admin.php in ActualScripts ActualAnalyzer Lite 2.78 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the style parameter.
by Khashayar Fereidani
CVE-2008-2215 EXPLOITDB text VERIFIED
Project-Based Calendaring System 0.7.1-1 - Path Traversal via Filename Parameter
Multiple directory traversal vulnerabilities in Project-Based Calendaring System (PBCS) 0.7.1-1 allow remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to (1) src/yopy_sync.php and (2) system-logger/print_logs.php.
by GoLd_M
CVE-2008-2216 EXPLOITDB text VERIFIED
Project-Based Calendaring System 0.7.1 - Authenticated Arbitrary File Upload via yopy_upload.php
Unrestricted file upload vulnerability in src/yopy_upload.php in Project-Based Calendaring System (PBCS) 0.7.1 allows remote authenticated users to upload arbitrary files to tmp/uploads.
by GoLd_M
CVE-2008-6651 EXPLOITDB text VERIFIED
OxYProject OxYBox 0.85 - Remote Code Injection via edithistory.php oxymsg Parameter
Static code injection vulnerability in edithistory.php in OxYProject OxYBox 0.85 allows remote attackers to inject arbitrary PHP code into oxyhistory.php via the oxymsg parameter.
by GoLd_M
CVE-2008-2220 EXPLOITDB text VERIFIED
Interact Learning Community Environment 2.4.1 - Remote Code Execution via CONFIG Parameter Manipulation
Multiple PHP remote file inclusion vulnerabilities in Interact Learning Community Environment Interact 2.4.1, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) CONFIG[LANGUAGE_CPATH] parameter to modules/forum/embedforum.php and the (2) CONFIG[BASE_PATH] parameter to modules/scorm/lib.inc.php, different vectors than CVE-2006-4448.
by RoMaNcYxHaCkEr
CVE-2008-2074 EXPLOITDB text VERIFIED
Harris Wap Chat 1.0 - Remote Code Execution via sysFileDir Parameter
Multiple PHP remote file inclusion vulnerabilities Harris Yusuf Arifin Harris Wap Chat 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the sysFileDir parameter to (1) eng.writeMsg.php, (2) eng.adCreate.php, (3) eng.adCreateSave.php, (4) eng.adDispByTypeOptions.php, (5) eng.createRoom.php, (6) eng.forward.php, (7) eng.pageLogout.php, (8) eng.resultMember.php, (9) eng.roomDeleteConfirm.php, (10) eng.saveNewRoom.php, and (11) eng.searchMember.php in src/.
by k1n9k0ng
CVE-2008-2219 EXPLOITDB text VERIFIED
C-News 1.0.1 - Cross-Site Scripting via Etape Parameter
Cross-site scripting (XSS) vulnerability in install.php in C-News.fr C-News 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the etape parameter.
by ZoRLu
CVE-2008-2045 EXPLOITDB text VERIFIED
SugarCRM 4.5.1 and 5.0.0 - Path Traversal via URL Parameter in Feed.php
Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory.
by Roberto Suggi Liverani
CVE-2008-4913 EXPLOITDB text VERIFIED
LokiCMS <= 0.3.3 - Unauthenticated Arbitrary File Deletion via Admin.php Delete Parameter
Directory traversal vulnerability in admin.php in LokiCMS 0.3.3 and earlier allows remote attackers to delete arbitrary files via a .. (dot dot) in the delete parameter.
by cOndemned
CVE-2008-1084 EXPLOITDB text VERIFIED
Microsoft Windows Kernel - Local Code Execution via NtUserFnOUTSTRING Input Validation
Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, through Vista SP1, and Server 2008 allows local users to execute arbitrary code via unknown vectors related to improper input validation. NOTE: it was later reported that one affected function is NtUserFnOUTSTRING in win32k.sys.
by Ruben Santamarta
CVE-2008-2069 EXPLOITDB text VERIFIED
Novell GroupWise 7 - Buffer Overflow via Long Argument in mailto: URI
Buffer overflow in Novell GroupWise 7 allows remote attackers to cause a denial of service or execute arbitrary code via a long argument in a mailto: URI.
by Juan Yacubian
CVE-2008-2087 EXPLOITDB text VERIFIED
Softbiz Web Hosting Directory Script - SQL Injection via search_result.php host_id Parameter
SQL injection vulnerability in search_result.php in Softbiz Web Host Directory Script, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the host_id parameter, a different vector than CVE-2005-3817.
by K-159
CVE-2008-2083 EXPLOITDB text VERIFIED
Prozilla Hosting Index - SQL Injection via cat_id Parameter
SQL injection vulnerability in directory.php in Prozilla Hosting Index, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
by K-159
CVE-2008-2063 EXPLOITDB text VERIFIED
Joovili 3.1 - SQL Injection via Category Parameter
SQL injection vulnerability in browse.videos.php in Joovili 3.1 allows remote attackers to execute arbitrary SQL commands via the category parameter.
by HaCkeR_EgY
CVE-2006-2026 EXPLOITDB text VERIFIED
libtiff < 3.8.1 - Double Free in tif_jpeg.c
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
by Tavis Ormandy