Text Exploits
31,394 exploits tracked across all sources.
Advanced Electron Forum 1.0.6 - XSS
Cross-site scripting (XSS) vulnerability in Advanced Electron Forum (AEF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the beg parameter in a members action to index.php.
by ZoRLu
Acidcat CMS 3.4.1 - Info Disclosure
Acidcat CMS 3.4.1 does not properly restrict access to (1) default_mail_aspemail.asp, (2) default_mail_cdosys.asp or (3) default_mail_jmail.asp, which allows remote attackers to bypass restrictions and relay email messages with modified From, FromName, and To fields.
by BugReport.IR
Acidcat CMS 3.4.1 - Cross-Site Scripting via admin_colors_swatch.asp field Parameter
Cross-site scripting (XSS) vulnerability in admin_colors_swatch.asp in Acidcat CMS 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the field parameter.
by BugReport.IR
Acidcat CMS 3.4.1 - SQL Injection via cID or Username Parameter
Multiple SQL injection vulnerabilities in Acidcat CMS 3.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) cID parameter to default.asp and the (2) username parameter to main_login2.asp.
by BugReport.IR
KubeLabs Kubelance 1.6.4 - Path Traversal via IPN i Parameter
Directory traversal vulnerability in ipn.php in KubeLabs Kubelance 1.6.4 allows remote attackers to include and execute arbitrary local files via the i parameter.
by Crackers_Child
HostDirectory Pro - Insecure Cookie Handling
by Crackers_Child
Host Directory PRO - Cookie Security Bypass
by Crackers_Child
acidcat_cms 3.4.1 - Unauthenticated Arbitrary File Upload via FCKEditor
Acidcat CMS 3.4.1 does not restrict access to the FCKEditor component, which allows remote attackers to upload arbitrary files.
by BugReport.IR
W1L3D4 Philboard 1.0 - SQL Injection
Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b) philboard_newtopic.asp, different vectors than CVE-2007-2641 and CVE-2007-0920.
by U238
Aterr 0.9.1 - Path Traversal via Class or File Parameter
Multiple directory traversal vulnerabilities in Aterr 0.9.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) class parameter to include/functions.inc.php and the (2) file parameter to include/common.inc.php.
by KnocKout
YourFreeWorld Apartment Search Script - SQL Injection
SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter.
by Crackers_Child
Voice Of Web AllMyGuests 0.4.1 - SQL Injection
SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to execute arbitrary SQL commands via the AMG_id parameter in a comments action.
by Player
Torrent WebUI 0.315 - Cross-Site Request Forgery via add-url and setsetting Actions
Cross-site request forgery (CSRF) vulnerability in gui/index.php in µTorrent (uTorrent) WebUI 0.315 allows remote attackers to (1) hijack the authentication of users for requests that force the download of arbitrary torrent files via the add-url action and (2) hijack the authentication of administrators for requests that modify the administrator account via the setsetting action.
by th3.r00k
WordPress < 2.3.3 - Path Traversal via Cat Parameter
Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information.
by Gerendi Sandor Attila
Wikepage Opus 13 2007.2 - Cross-Site Scripting via Wiki Parameter
Cross-site scripting (XSS) vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to inject arbitrary web script or HTML via the wiki parameter.
by Gerendi Sandor Attila
TLM CMS 3.1 - SQL Injection via nom Parameter
SQL injection vulnerability in TLM CMS 3.1 allows remote attackers to execute arbitrary SQL commands via the nom parameter to a-b-membres.php. NOTE: the goodies.php vector is already covered by CVE-2007-4808. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by ZoRLu
Simple Customer 1.2 - SQL Injection
SQL injection vulnerability in contact.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by t0pP8uZz
phShoutBox Final <1.5 - Privilege Escalation
phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php.
by t0pP8uZz
Quate Grape Web Statistics 0.2a - Remote Code Execution via Location Parameter
PHP remote file inclusion vulnerability in includes/functions.php in Quate Grape Web Statistics 0.2a allows remote attackers to execute arbitrary PHP code via a URL in the location parameter.
by MajnOoNxHaCkEr
5th Avenue Shopping Cart 1.2 - SQL Injection
SQL injection vulnerability in store_pages/category_list.php in 5th Avenue Shopping Cart 1.2 trial edition allows remote attackers to execute arbitrary SQL commands via the category_ID parameter.
by Aria-Security Team
2532gigs <= 1.2.2 - Unauthenticated Sensitive Information Exposure via Direct Backup Request
2532designs 2532|Gigs 1.2.2 and earlier allows remote attackers to trigger a backup and obtain sensitive information via a direct request to backup.php, which creates backup.sql under the web root with insufficient access control.
by t0pP8uZz
Azureus HTML WebUI 0.7.6 - Cross-Site Request Forgery
by th3.r00k
Microsoft Windows XP-Vista-2003-2008 - Privilege Escalation
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
by Cesar Cerrudo
php-stats 0.1.9.1 - Cross-Site Scripting via sel_mese and sel_anno Parameters
Cross-site scripting (XSS) vulnerability in admin.php in Php-Stats 0.1.9.1 allows remote attackers to inject arbitrary web script or HTML via the (1) sel_mese and (2) sel_anno parameters in a systems action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by ZoRLu
By Source