Exploitdb Exploits
50,076 exploits tracked across all sources.
AlienVault OSSIM < 4.3 - SQL Injection via RadarReport Date Parameter
Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.3 and earlier allow remote attackers to execute arbitrary SQL commands via the date_from parameter to (1) radar-iso27001-potential.php, (2) radar-iso27001-A12IS_acquisition-pot.php, (3) radar-iso27001-A11AccessControl-pot.php, (4) radar-iso27001-A10Com_OP_Mgnt-pot.php, or (5) radar-pci-potential.php in RadarReport/.
by Yu-Chi Ding
Evince PDF Reader 2.32.0.145 (Windows) / 3.4.0 (Linux) - Denial of Service
by Deva
PineApp Mail-SeCure <3.70 - Privilege Escalation
PineApp Mail-SeCure before 3.70 allows remote authenticated users to gain privileges by leveraging console access and providing shell metacharacters in a "system ping" command.
by Core Security
HylaFAX+ 5.2.4-5.5.3 - Heap-Based Buffer Overflow via Long USER Command
Heap-based buffer overflow in hfaxd in HylaFAX+ 5.2.4 through 5.5.3, when using LDAP authentication, might allow remote attackers to cause a denial of service (child hang) or execute arbitrary code via a long USER command.
by Dennis Jenkins
XAMPP 1.8.1 - Cross-Site Scripting via WriteIntoLocalDisk Method
XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method.
by Manuel García Cárdenas
simplerisk < 20130916-001 - Cross-Site Request Forgery via add_project Action
Cross-site request forgery (CSRF) vulnerability in management/prioritize_planning.php in SimpleRisk before 20130916-001 allows remote attackers to hijack the authentication of users for requests that add projects via an add_project action.
by Ryan Dewhurst
nodeca/js-yaml < 2.0.5 - Remote Code Execution via Unsafe YAML Tag Parsing
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
by Metasploit
mod_accounting < 0.5 - SQL Injection via Host Header
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header.
by Wireghoul
GNU C Library <2.17 - Buffer Overflow
The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.
by Hector Marco & Ismael Ripoll
FreeSMS - '/pages/crc_handler.php?scheduleid' SQL Injection
by Sarahma Security
FreeSMS - '/pages/crc_handler.php' Multiple Cross-Site Scripting Vulnerabilities
by Sarahma Security
Posnic Stock Management System 1.02 - Multiple Vulnerabilities
by Sarahma Security
HP 2620-24-PoE+ Switch - Cross-Site Request Forgery via setPassword Method
Cross-site request forgery (CSRF) vulnerability in html/json.html on HP 2620 switches allows remote attackers to hijack the authentication of administrators for requests that change an administrative password via the setPassword method.
by Hubert Gradek
X2Engine X2CRM < 3.5 - Authenticated Path Traversal via Translation Manager File Parameter
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
by High-Tech Bridge SA
X2Engine X2CRM < 3.5 - Cross-Site Scripting via Model Parameter
Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.
by High-Tech Bridge SA
Good for Enterprise <2.2.4.1659 - XSS
Cross-site scripting (XSS) vulnerability in the Good for Enterprise app before 2.2.4.1659 for iOS allows remote attackers to inject arbitrary web script or HTML via an HTML e-mail message.
by Mario
Raidsonic IB-NAS5220 and IB-NAS4220 - Unauthenticated OS Command Injection via timeHandler.cgi timeZone Parameter
An OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands.
by Metasploit
By Source