Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2005-0271 EXPLOITDB
ReviewPost PHP Pro < 2.84 - SQL Injection via showcat.php cat Parameter or addfav.php product Parameter
Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php.
CVE-2021-31329 EXPLOITDB MEDIUM
Remote Clinic 2.0 - Stored Cross-Site Scripting via Chat and Personal Address Fields
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Chat" and "Personal Address" field on staff/register.php
CVSS 5.4
CVE-2021-30030 EXPLOITDB MEDIUM
Remote Clinic 2.0 - Stored Cross-Site Scripting via Full Name Field
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php.
CVSS 5.4
CVE-2021-30034 EXPLOITDB MEDIUM
Remote Clinic 2.0 - Stored Cross-Site Scripting via Symptoms Field
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php.
CVSS 5.4
CVE-2021-30039 EXPLOITDB MEDIUM
Remote Clinic 2.0 - Stored Cross-Site Scripting via Patient Report Fields
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php.
CVSS 5.4
CVE-2021-30042 EXPLOITDB MEDIUM
Remote Clinic 2.0 - Stored Cross-Site Scripting via Clinic Registration Fields
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php
CVSS 5.4
CVE-2015-7381 EXPLOITDB
refbase < 0.9.6 - Remote Code Execution via pathToMYSQL or databaseStructureFile Parameter
Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008.
CVE-2000-0248 EXPLOITDB ruby
Red Hat Linux Piranha - Command Injection
The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands.
CVE-2006-3210 EXPLOITDB
Ralf Image Gallery < 1.0 - Remote File Inclusion and Directory Traversal via dir_abs_src Parameter
Ralf Image Gallery (RIG) 0.7.4 and other versions before 1.0, when register_globals is enabled, allows remote attackers to conduct PHP remote file inclusion and directory traversal attacks via URLs or ".." sequences in the (1) dir_abs_src parameter in (a) check_entry.php, (b) admin_album.php, (c) admin_image.php, and (d) admin_util.php; and the (2) dir_abs_admin_src parameter in admin_album.php and admin_image.php. NOTE: this issue can be leveraged to conduct cross-site scripting (XSS) attacks.
CVE-2009-4694 EXPLOITDB
RadScripts RadLance Gold 7.5 - Cross-Site Scripting via fid Parameter
Cross-site scripting (XSS) vulnerability in index.php in RadScripts RadLance Gold 7.5 allows remote attackers to inject arbitrary web script or HTML via the fid parameter in a view_forum action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6673 EXPLOITDB
QuickerSite 1.8.5 - Unauthenticated Administrative Functionality Access
asp/bs_login.asp in QuickerSite 1.8.5 does not properly restrict access to administrative functionality, which allows remote attackers to (1) change the admin password via the cSaveAdminPW action; (2) modify site information, such as the contact address, via the saveAdmin; and (3) modify the site design via the saveDesign action.
CVE-2008-6674 EXPLOITDB
QuickerSite 1.8.5 - Denial of Service via mailPage.asp sEmail Parameter
mailPage.asp in QuickerSite 1.8.5 allows remote attackers to flood e-mail accounts with messages via a large number of requests with a modified sEmail parameter.
CVE-2008-6675 EXPLOITDB
QuickerSite 1.8.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in QuickerSite 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the close parameter to showThumb.aspx; (2) SB_redirect and (3) SB_feedback parameters in process_send.asp, as reachable through default.asp; (4) paramCode and (5) cColor parameters to picker.asp; and the (6) query string, (7) Referer header, and (8) X-FORWARDED-FOR header to rss.asp.
CVE-2008-6676 EXPLOITDB
QuickerSite 1.8.5 - Information Disclosure via showThumb.aspx
QuickerSite 1.8.5 allows remote attackers to obtain sensitive information via a request to showThumb.aspx without any parameters, which reveals the installation path in an error message.
CVE-2008-6677 EXPLOITDB
QuickerSite 1.8.5 - Remote Code Execution via Unrestricted File Upload
Unrestricted file upload vulnerability in fckeditor251/editor/filemanager/connectors/asp/upload.asp in QuickerSite 1.8.5 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.
CVE-2006-0668 EXPLOITDB perl
PwsPHP 1.2.3 - SQL Injection via id Parameter
SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in message.php in the espace_membre module. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2005-3747 EXPLOITDB
Jetty < 5.1.6 - Unauthenticated Source Code Exposure via URL-Encoded Backslash
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.
CVE-2008-6231 EXPLOITDB
Pre Classified Listing PHP - Unauthenticated Authentication Bypass via Cookie Manipulation
Pre Classified Listing PHP allows remote attackers to bypass authentication and gain administrative access by setting the (1) adminname and the (2) adminid cookies to "admin".
CVE-2008-4425 EXPLOITDB
Phlatline Personal Information Manager 1.0 - Path Traversal & Arbitrary File Deletion via Upload.php
Directory traversal vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter within a delfile action.
CVE-2008-4426 EXPLOITDB
Phlatline Personal Information Manager 1.0 - Cross-Site Scripting via events.php date parameter
Cross-site scripting (XSS) vulnerability in events.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter in a new action.
CVE-2008-4425 EXPLOITDB
Phlatline Personal Information Manager 1.0 - Path Traversal & Arbitrary File Deletion via Upload.php
Directory traversal vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter within a delfile action.
CVE-2008-4426 EXPLOITDB
Phlatline Personal Information Manager 1.0 - Cross-Site Scripting via events.php date parameter
Cross-site scripting (XSS) vulnerability in events.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter in a new action.
CVE-2008-4427 EXPLOITDB
Phlatline Personal Information Manager < 1.0 - Unauthenticated Arbitrary Password Change
changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords.
CVE-2008-4428 EXPLOITDB
Phlatline Personal Information Manager < 1.0 - Unauthenticated Arbitrary File Upload via upload.php
Unrestricted file upload vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in the top-level directory.
CVE-2008-4427 EXPLOITDB
Phlatline Personal Information Manager < 1.0 - Unauthenticated Arbitrary Password Change
changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords.
By Source
All 50,076 Writeup 62,282 Exploitdb 50,076 Nomisec 22,409 Github 3,626 Metasploit 3,312 Vulncheck_xdb 927 Inthewild 514 Gitlab 479 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,570 ruby 6,003 c 3,626 perl 2,849 html 2,075 php 1,333 bash 462 java 371 c++ 261 javascript 229 shell 131 go 73 postscript 25 typescript 25