Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2008-1983 EXPLOITDB text VERIFIED
Advanced Electron Forum 1.0.6 - XSS
Cross-site scripting (XSS) vulnerability in Advanced Electron Forum (AEF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the beg parameter in a members action to index.php.
by ZoRLu
CVE-2008-1992 EXPLOITDB text VERIFIED
Acidcat CMS 3.4.1 - Info Disclosure
Acidcat CMS 3.4.1 does not properly restrict access to (1) default_mail_aspemail.asp, (2) default_mail_cdosys.asp or (3) default_mail_jmail.asp, which allows remote attackers to bypass restrictions and relay email messages with modified From, FromName, and To fields.
by BugReport.IR
CVE-2008-1991 EXPLOITDB text VERIFIED
Acidcat CMS 3.4.1 - Cross-Site Scripting via admin_colors_swatch.asp field Parameter
Cross-site scripting (XSS) vulnerability in admin_colors_swatch.asp in Acidcat CMS 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the field parameter.
by BugReport.IR
CVE-2008-1990 EXPLOITDB text VERIFIED
Acidcat CMS 3.4.1 - SQL Injection via cID or Username Parameter
Multiple SQL injection vulnerabilities in Acidcat CMS 3.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) cID parameter to default.asp and the (2) username parameter to main_login2.asp.
by BugReport.IR
CVE-2008-2091 EXPLOITDB text VERIFIED
KubeLabs Kubelance 1.6.4 - Path Traversal via IPN i Parameter
Directory traversal vulnerability in ipn.php in KubeLabs Kubelance 1.6.4 allows remote attackers to include and execute arbitrary local files via the i parameter.
by Crackers_Child
EIP-2026-107635 EXPLOITDB text VERIFIED
HostDirectory Pro - Insecure Cookie Handling
by Crackers_Child
EIP-2026-107629 EXPLOITDB text VERIFIED
Host Directory PRO - Cookie Security Bypass
by Crackers_Child
CVE-2008-1993 EXPLOITDB text VERIFIED
acidcat_cms 3.4.1 - Unauthenticated Arbitrary File Upload via FCKEditor
Acidcat CMS 3.4.1 does not restrict access to the FCKEditor component, which allows remote attackers to upload arbitrary files.
by BugReport.IR
CVE-2008-1939 EXPLOITDB text VERIFIED
W1L3D4 Philboard 1.0 - SQL Injection
Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b) philboard_newtopic.asp, different vectors than CVE-2007-2641 and CVE-2007-0920.
by U238
EIP-2026-114479 EXPLOITDB text VERIFIED
XOOPS Recette 2.2 - 'detail.php' SQL Injection
by S@BUN
CVE-2008-1962 EXPLOITDB text VERIFIED
Aterr 0.9.1 - Path Traversal via Class or File Parameter
Multiple directory traversal vulnerabilities in Aterr 0.9.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) class parameter to include/functions.inc.php and the (2) file parameter to include/common.inc.php.
by KnocKout
CVE-2008-1919 EXPLOITDB text VERIFIED
YourFreeWorld Apartment Search Script - SQL Injection
SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter.
by Crackers_Child
CVE-2008-1961 EXPLOITDB text VERIFIED
Voice Of Web AllMyGuests 0.4.1 - SQL Injection
SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to execute arbitrary SQL commands via the AMG_id parameter in a comments action.
by Player
CVE-2008-6586 EXPLOITDB text VERIFIED
Torrent WebUI 0.315 - Cross-Site Request Forgery via add-url and setsetting Actions
Cross-site request forgery (CSRF) vulnerability in gui/index.php in µTorrent (uTorrent) WebUI 0.315 allows remote attackers to (1) hijack the authentication of users for requests that force the download of arbitrary torrent files via the add-url action and (2) hijack the authentication of administrators for requests that modify the administrator account via the setsetting action.
by th3.r00k
CVE-2008-4769 EXPLOITDB text VERIFIED
WordPress < 2.3.3 - Path Traversal via Cat Parameter
Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information.
by Gerendi Sandor Attila
CVE-2008-1956 EXPLOITDB text VERIFIED
Wikepage Opus 13 2007.2 - Cross-Site Scripting via Wiki Parameter
Cross-site scripting (XSS) vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to inject arbitrary web script or HTML via the wiki parameter.
by Gerendi Sandor Attila
CVE-2008-4768 EXPLOITDB text VERIFIED
TLM CMS 3.1 - SQL Injection via nom Parameter
SQL injection vulnerability in TLM CMS 3.1 allows remote attackers to execute arbitrary SQL commands via the nom parameter to a-b-membres.php. NOTE: the goodies.php vector is already covered by CVE-2007-4808. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by ZoRLu
CVE-2008-6081 EXPLOITDB text VERIFIED
Simple Customer 1.2 - SQL Injection
SQL injection vulnerability in contact.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by t0pP8uZz
CVE-2008-1971 EXPLOITDB text VERIFIED
phShoutBox Final <1.5 - Privilege Escalation
phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php.
by t0pP8uZz
CVE-2008-1963 EXPLOITDB text VERIFIED
Quate Grape Web Statistics 0.2a - Remote Code Execution via Location Parameter
PHP remote file inclusion vulnerability in includes/functions.php in Quate Grape Web Statistics 0.2a allows remote attackers to execute arbitrary PHP code via a URL in the location parameter.
by MajnOoNxHaCkEr
CVE-2008-1921 EXPLOITDB text VERIFIED
5th Avenue Shopping Cart 1.2 - SQL Injection
SQL injection vulnerability in store_pages/category_list.php in 5th Avenue Shopping Cart 1.2 trial edition allows remote attackers to execute arbitrary SQL commands via the category_ID parameter.
by Aria-Security Team
CVE-2008-6199 EXPLOITDB text VERIFIED
2532gigs <= 1.2.2 - Unauthenticated Sensitive Information Exposure via Direct Backup Request
2532designs 2532|Gigs 1.2.2 and earlier allows remote attackers to trigger a backup and obtain sensitive information via a direct request to backup.php, which creates backup.sql under the web root with insufficient access control.
by t0pP8uZz
EIP-2026-104177 EXPLOITDB text VERIFIED
Azureus HTML WebUI 0.7.6 - Cross-Site Request Forgery
by th3.r00k
CVE-2008-1436 EXPLOITDB text VERIFIED
Microsoft Windows XP-Vista-2003-2008 - Privilege Escalation
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
by Cesar Cerrudo
CVE-2008-6212 EXPLOITDB text VERIFIED
php-stats 0.1.9.1 - Cross-Site Scripting via sel_mese and sel_anno Parameters
Cross-site scripting (XSS) vulnerability in admin.php in Php-Stats 0.1.9.1 allows remote attackers to inject arbitrary web script or HTML via the (1) sel_mese and (2) sel_anno parameters in a systems action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
by ZoRLu