Exploitdb Exploits
50,076 exploits tracked across all sources.
WordPress SupportEzzy Ticket System 1.2.5 - XSS
Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket.
by Halil Dalabasmaz
Photo Gallery 1.2.5 - Info Disclosure
Unrestricted File Upload vulnerability in Photo Gallery 1.2.5.
by Kacper Szurek
CVSS 8.8
Subex ROC Fraud Mgmt <7.4 - SQL Injection
SQL injection vulnerability in the login page (login/login) in Subex ROC Fraud Management (aka Fraud Management System and FMS) 7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ranger_user[name] parameter.
by Anastasios Monachos
ManageEngine Password Manager Pro < 7.1 - Authenticated SQL Injection via BulkEditSearchResult.cc SEARCH_ALL Parameter
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.
by Pedro Ribeiro
vldPersonals < 2.7 - Cross-Site Scripting via Member Profile ID Parameter
Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php.
by Mr T
Microsoft Internet Explorer 11 - Denial of Service
by Behrooz Abbassi
Another WordPress Classifieds Plugin - SQL Injection via keywordphrase Parameter
SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.
by dill
XCloner 3.1.1 and 3.5.1 - Exposure of Sensitive Information via Command Line Arguments
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.
by Larry W. Cashdollar
vldPersonals <2.7.1 - SQL Injection
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via the (1) country, (2) gender1, or ((3) gender2 parameter in a search action to index.php.
by Mr T
Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities
by Halil Dalabasmaz
phpSound 1.0.5 - Stored Cross-Site Scripting via Playlist Title or Description
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.php.
by Halil Dalabasmaz
php-fusion 7.02.07 - Authenticated SQL Injection via submit_id or status Parameter
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php.
by XLabs Security
ManageEngine Password Manager Pro < 7.1 - Authenticated SQL Injection via SEARCH_ALL Parameter
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.
by Pedro Ribeiro
ManageEngine OpManager 11.3-11.4, IT360 10.3-10.4, Social IT Plus 11.0 SQL Injection
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
by Pedro Ribeiro
Visual Mining NetCharts Server - Unrestricted File Upload and Remote Code Execution
Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
by Metasploit
CVSS 9.8
Barracuda - Multiple Unauthentication Logfile Downloads
by 4CKnowLedge
ManageEngine OpManager 11.3-11.4, IT360 10.3-10.4, Social IT Plus 11.0 SQL Injection
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
by Pedro Ribeiro
i-Ftp 2.20 - Stack-based Buffer Overflow via Schedule.xml Time Attribute
A stack-based buffer overflow vulnerability exists in i-Ftp version 2.20 due to improper handling of the Time attribute within Schedule.xml. By placing a specially crafted Schedule.xml file in the i-Ftp application directory, a remote attacker can trigger a buffer overflow during scheduled download parsing, potentially leading to arbitrary code execution or a crash.
by metacom
VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read
by KoreLogic
X7 Chat <2.0.5.1 - Authenticated RCE
lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the preg_replace function with the eval switch.
by Metasploit
Symantec Endpoint Protection Manager <12.1 - RCE
ConsoleServlet in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU5 allows remote attackers to write to arbitrary files via unspecified vectors.
by SEC Consult
By Source