Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2013-7233 EXPLOITDB text VERIFIED
WordPress < 2.0.11 - Cross-Site Request Forgery via Retrospam Component
Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list.
by MustLive
EIP-2026-111289 EXPLOITDB html VERIFIED
Piwigo - 'admin.php' Cross-Site Request Forgery (User Creation)
by sajith
CVE-2013-6839 EXPLOITDB text
InstantCMS < 1.10.3 - SQL Injection via OrderBy Parameter
SQL injection vulnerability in InstantSoft InstantCMS 1.10.3 and earlier allows remote attackers to execute arbitrary SQL commands via the orderby parameter to catalog/[id].
by High-Tech Bridge SA
CVE-2013-6884 EXPLOITDB text
CRU Ditto Forensic FieldStation Firmware < 2013Oct15a - Default Credentials
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges.
by Martin Wundram
CVE-2013-6420 EXPLOITDB text
PHP < 5.3.28, 5.4.x < 5.4.23, 5.5.x < 5.5.7 - Remote Code Execution via X.509 Certificate Timestamp Parsing
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
by Stefan Esser
EIP-2026-102234 EXPLOITDB text
FileMaster SY-IT 3.1 iOS - Multiple Web Vulnerabilities
by Vulnerability-Lab
EIP-2026-118080 EXPLOITDB python
VUPlayer 2.49 - '.m3u' File Universal Buffer Overflow (DEP Bypass) (2)
by Morteza Hashemi
CVE-2013-7274 EXPLOITDB text
Wallpaper Script 3.5.0082 - XSS
Cross-site scripting (XSS) vulnerability in Wallpaper Script 3.5.0082 allows remote authenticated users to inject arbitrary web script or HTML via the title field in a wallpaper file upload.
by null pointer
EIP-2026-110544 EXPLOITDB text VERIFIED
Penny Auction 5 - SQL Injection
by 3spi0n
EIP-2026-109221 EXPLOITDB text VERIFIED
Lowest Unique Bid Auction - SQL Injection
by 3spi0n
EIP-2026-107963 EXPLOITDB text
iScripts MultiCart 2.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Cross-Site Scripting / Cross-Site Request Forgery / Mass Accounts Takeover
by Saadi Siddiqui
CVE-2013-7316 EXPLOITDB bash VERIFIED
GitLab < 6.5.0 - Cross-Site Scripting via HTML File Upload
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.
by hellok
CVE-2013-7193 EXPLOITDB text VERIFIED
C2C Forward Auction Creator 2.0 - SQL Injection
Multiple SQL injection vulnerabilities in C2C Forward Auction Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) pa parameter to auction/asp/list.asp, or the (2) UserID or (3) Password to auction/casp/admin.asp.
by R3d-D3V!L
CVE-2013-7193 EXPLOITDB text VERIFIED
C2C Forward Auction Creator 2.0 - SQL Injection
Multiple SQL injection vulnerabilities in C2C Forward Auction Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) pa parameter to auction/asp/list.asp, or the (2) UserID or (3) Password to auction/casp/admin.asp.
by R3d-D3V!L
CVE-2009-3547 EXPLOITDB HIGH c
Linux Kernel < 2.6.32-rc6 - Race Condition in Pipe Handling via /proc/*/fd/ Pathname
Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.
by spender
CVSS 7.0
CVE-2013-7136 EXPLOITDB text
UPC Ireland Cisco EPC 2425 - Info Disclosure
The UPC Ireland Cisco EPC 2425 router (aka Horizon Box) does not have a sufficiently large number of possible WPA-PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack.
by Matt O'Connor
CVE-2013-6976 EXPLOITDB text
Cisco EPC3925 - Cross-Site Request Forgery via Quick Setup Password Change
Cross-site request forgery (CSRF) vulnerability in goform/Quick_setup on Cisco EPC3925 devices allows remote attackers to hijack the authentication of administrators for requests that change a password via the Password and PasswordReEnter parameters, aka Bug ID CSCuh37496.
by Jeroen - IT Nerdbox
EIP-2026-101555 EXPLOITDB text
Beetel TC1-450 Airtel Wireless Router - Multiple Cross-Site Request Forgery Vulnerabilities
by Samandeep Singh
CVE-2013-7108 EXPLOITDB text VERIFIED
Nagios Core <4.0.2 - Info Disclosure
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
by DTAG Group Information Security
EIP-2026-116082 EXPLOITDB python VERIFIED
PotPlayer 1.5.42509 Beta - Integer Division by Zero Denial of Service
by sajith
EIP-2026-111294 EXPLOITDB text VERIFIED
Piwigo CMS 2.5.3 - Multiple Web Vulnerabilities
by sajith
CVE-2013-7190 EXPLOITDB text VERIFIED
iScripts AutoHoster - Path Traversal
Multiple directory traversal vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to read arbitrary files via the (1) tmpid parameter to websitebuilder/showtemplateimage.php, (2) fname parameter to admin/downloadfile.php, or (3) id parameter to support/admin/csvdownload.php; or (4) have an unspecified impact via unspecified vectors in support/parser/main_smtp.php.
by i-Hmx
CVE-2013-7190 EXPLOITDB text VERIFIED
iScripts AutoHoster - Path Traversal
Multiple directory traversal vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to read arbitrary files via the (1) tmpid parameter to websitebuilder/showtemplateimage.php, (2) fname parameter to admin/downloadfile.php, or (3) id parameter to support/admin/csvdownload.php; or (4) have an unspecified impact via unspecified vectors in support/parser/main_smtp.php.
by i-Hmx
CVE-2013-7189 EXPLOITDB text VERIFIED
iScripts AutoHoster - SQL Injection
Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to payinvoiceothers.php.
by i-Hmx
CVE-2013-7190 EXPLOITDB text VERIFIED
iScripts AutoHoster - Path Traversal
Multiple directory traversal vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to read arbitrary files via the (1) tmpid parameter to websitebuilder/showtemplateimage.php, (2) fname parameter to admin/downloadfile.php, or (3) id parameter to support/admin/csvdownload.php; or (4) have an unspecified impact via unspecified vectors in support/parser/main_smtp.php.
by i-Hmx