Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2013-7190 EXPLOITDB text VERIFIED
iScripts AutoHoster - Path Traversal
Multiple directory traversal vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to read arbitrary files via the (1) tmpid parameter to websitebuilder/showtemplateimage.php, (2) fname parameter to admin/downloadfile.php, or (3) id parameter to support/admin/csvdownload.php; or (4) have an unspecified impact via unspecified vectors in support/parser/main_smtp.php.
by i-Hmx
CVE-2013-7189 EXPLOITDB text VERIFIED
iScripts AutoHoster - SQL Injection
Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to payinvoiceothers.php.
by i-Hmx
CVE-2013-7189 EXPLOITDB text VERIFIED
iScripts AutoHoster - SQL Injection
Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to payinvoiceothers.php.
by i-Hmx
CVE-2013-7189 EXPLOITDB text VERIFIED
iScripts AutoHoster - SQL Injection
Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to payinvoiceothers.php.
by i-Hmx
EIP-2026-102270 EXPLOITDB text
Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
by Vulnerability-Lab
EIP-2026-110349 EXPLOITDB text VERIFIED
Osclass - Multiple Input Validation Vulnerabilities
by R3d-D3V!L
EIP-2026-100313 EXPLOITDB text VERIFIED
Etoshop B2B Vertical Marketplace Creator - Multiple SQL Injections
by R3d-D3V!L
CVE-2014-1214 EXPLOITDB HIGH text VERIFIED
ProJoom Smart Flash Header < 3.0.2 - Unauthenticated Arbitrary File Upload via Crafted Dest and Filename Parameters
views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component 3.0.2 and earlier for Joomla! allows remote attackers to upload and execute arbitrary files via a crafted (1) dest parameter and (2) arbitrary extension in the Filename parameter.
by Yuri Kramarz
CVSS 8.8
EIP-2026-105572 EXPLOITDB text VERIFIED
BoastMachine - 'blog' SQL Injection
by Omar Kurt
CVE-2013-6875 EXPLOITDB text VERIFIED
Nagios XI < 2012r2.4 - SQL Injection via tfPassword Parameter
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
by Denis Andzakovic
CVE-2013-7192 EXPLOITDB text VERIFIED
Dynamic Biz Website Builder - SQL Injection
Multiple SQL injection vulnerabilities in Dynamic Biz Website Builder (QuickWeb) allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/news-events/newdetail.asp, or the (2) UserID or (3) Password to login.asp.
by R3d-D3V!L
CVE-2013-7192 EXPLOITDB text VERIFIED
Dynamic Biz Website Builder - SQL Injection
Multiple SQL injection vulnerabilities in Dynamic Biz Website Builder (QuickWeb) allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/news-events/newdetail.asp, or the (2) UserID or (3) Password to login.asp.
by R3d-D3V!L
EIP-2026-116941 EXPLOITDB python VERIFIED
Castripper 2.50.70 - '.pls' DEP Bypass
by Morteza Hashemi
EIP-2026-113410 EXPLOITDB text VERIFIED
WHMCompleteSolution (WHMCS) 4.x/5.x - Multiple Web Vulnerabilities
by AhwAk20o0 --
EIP-2026-109001 EXPLOITDB text VERIFIED
KikChat - Local File Inclusion / Remote Code Execution
by cr4wl3r
EIP-2026-106326 EXPLOITDB text VERIFIED
Cythosia 2.x Botnet (C2 Web Panel) - SQL Injection
by GalaxyAndroid
EIP-2026-101914 EXPLOITDB text
Pentagram Cerberus P 6363 DSL Router - Multiple Vulnerabilities
by condis
CVE-2013-7030 EXPLOITDB HIGH bash VERIFIED
Cisco Unified Communications Manager - Information Disclosure via TFTP RRQ Operation
The TFTP service in Cisco Unified Communications Manager (aka CUCM or Unified CM) allows remote attackers to obtain sensitive information from a phone via an RRQ operation, as demonstrated by discovering a cleartext UseUserCredential field in an SPDefault.cnf.xml file. NOTE: the vendor reportedly disputes the significance of this report, stating that this is an expected default behavior, and that the product's documentation describes use of the TFTP Encrypted Config option in addressing this issue
by daniel svartman
CVSS 7.3
CVE-2013-4837 EXPLOITDB ruby VERIFIED
HP LoadRunner < 11.52 - Remote Code Execution in Virtual User Generator
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1832.
by Metasploit
CVE-2012-0874 EXPLOITDB text
JBoss EAP < 5.2.0 - Unauthenticated Remote Code Execution via JMX/EJB Invoker
The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.
by rgod
CVE-2013-4988 EXPLOITDB text VERIFIED
IcoFX < 2.5 - Remote Code Execution via Long idCount in ICONDIR Structure
Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an ICO file. NOTE: some of these details are obtained from third party information.
by Core Security
EIP-2026-113054 EXPLOITDB text VERIFIED
Veno File Manager - 'q' Arbitrary File Download
by Daniel Godoy
CVE-2013-7194 EXPLOITDB text VERIFIED
eFront 3.6.14 - Authenticated Stored Cross-Site Scripting via Administrator Fields
Multiple cross-site scripting (XSS) vulnerabilities in www/administrator.php in eFront 3.6.14 (build 18012) allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Last name, (2) Lesson name, or (3) Course name field.
by sajith
CVE-2013-7097 EXPLOITDB text VERIFIED
7mediaws eduTrac < 1.1.2 - Path Traversal via Installer Overview showmask Parameter
Directory traversal vulnerability in 7 Media Web Solutions eduTrac before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the showmask parameter to installer/overview.php.
by High-Tech Bridge
CVE-2013-3522 EXPLOITDB ruby VERIFIED
vBulletin 5.0.0 Beta 11 and earlier - Authenticated SQL Injection via nodeid Parameter
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
by Metasploit