Exploitdb Exploits
50,076 exploits tracked across all sources.
Cisco AnyConnect Secure Mobility 2.x/3.x/4.x - Client Denial of Service (PoC)
by LiquidWorm
Milw0rm Clone Script 1.0 - SQL Injection via usr or pwd Parameter
Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm Clone Script 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) usr or (2) pwd parameter.
by walid naceri
ZCMS 1.1 - SQL Injection
SQL injection vulnerability in ZCMS 1.1.
by hyp3rlinx
CVSS 9.8
SE HTML5 Album Audio Player < 1.1.0 - Path Traversal via File Parameter
Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
by Larry W. Cashdollar
Aviary Image Editor Add-on for Gravity Forms < 3.0 - Unauthenticated Arbitrary File Upload via upload.php
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary.
by Larry W. Cashdollar
CVSS 9.8
ClickHeat < 1.1.4 - Cross-Site Request Forgery via Config Action
Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php.
by David Shanahan
Opsview < 4.6.2 - Cross-Site Scripting via Crafted Check Plugin or Host Profile Description
Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to a Test service check page.
by Dolev Farhi
ZCMS 1.1 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.
by hyp3rlinx
CVSS 4.8
OSSEC 2.7-2.8.1 - Local Privilege Escalation via syscheck/seechanges.c
syscheck/seechanges.c in OSSEC 2.7 through 2.8.1 on NIX systems allows local users to execute arbitrary code as root.
by Andrew Widdersheim
CVSS 7.0
RobotCPA 5 for WordPress - Path Traversal via f.php l Parameter
The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter.
by T3N38R15
CVSS 7.5
ISPConfig < 3.0.5.4 - Authenticated SQL Injection via server Parameter
SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2.
by High-Tech Bridge SA
HP WebInspect 7.8-10.4 - Authenticated XML External Entity Injection
Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10.4 update 1 allows remote authenticated users to bypass intended access restrictions via unknown vectors.
by Jakub Palaczynski
Paypal Currency Converter Basic For WooCommerce < 1.4 - Unauthenticated Arbitrary File Read via requrl Parameter
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl parameter.
by Kuroi'SH
WordPress Plugin History Collection 1.1.1 - Arbitrary File Download
by Kuroi'SH
Encrypted Contact Form < 1.1 - Cross-Site Request Forgery via iframe_url Parameter
Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the iframe_url parameter in an Update Page action in the conformconf page to wp-admin/options-general.php.
by Nitin Venkatesh
ISPConfig < 3.0.5.4 - Cross-Site Request Forgery via Admin User Creation
Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for requests that conduct SQL injection attacks via the server parameter to monitor/show_sys_state.php.
by High-Tech Bridge SA
FiverrScript 7.2 - Cross-Site Request Forgery via Admin Creation Endpoint
Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka Fiverr Script) 7.2 allows remote attackers to hijack the authentication of administrators for requests that create a new admin via a request to administrator/admins_create.php.
by Mahmoud Gamal
Apple Mac OS X < 10.10.4 - Numeric Error
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
by Pedro Ribeiro
ProFTPD 1.3.5 - Unauthenticated Arbitrary File Read and Write via mod_copy Site Commands
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
by Metasploit
libmimedir - Remote Code Execution via Malformed VCF File
libmimedir allows remote attackers to execute arbitrary code via a VCF file with two NULL bytes at the end of the file, related to "free" function calls in the "lexer's memory clean-up procedure."
by Jeremy Brown
By Source