Exploitdb Exploits

50,083 exploits tracked across all sources.

Sort: Activity Stars
CVE-2013-1362 EXPLOITDB ruby VERIFIED
Opensuse < 2.13 - Improper Input Validation
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
by Metasploit
CVE-2013-0238 EXPLOITDB perl
ircd-hybrid < 8.0.6 - Denial of Service via Negative Mask Parsing
The try_parse_v4_netmask function in hostmask.c in IRCD-Hybrid before 8.0.6 does not properly validate masks, which allows remote attackers to cause a denial of service (crash) via a mask that causes a negative number to be parsed.
by kingcope
EIP-2026-101231 EXPLOITDB ruby VERIFIED
D-Link DIR-645 / DIR-815 - 'diagnostic.php' Command Execution (Metasploit)
by Metasploit
CVE-2013-3532 EXPLOITDB text VERIFIED
Spider Video Player 2.1 - SQL Injection via Theme Parameter
SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter.
by Ashiyane Digital Security Team
CVE-2013-3525 EXPLOITDB text VERIFIED
Request Tracker < 4.0.9 - SQL Injection via ShowPending Parameter
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
by cheki
EIP-2026-118582 EXPLOITDB python VERIFIED
Freefloat FTP Server 1.0 - DEP Bypass with ROP
by negux
EIP-2026-118320 EXPLOITDB python VERIFIED
BigAnt Server 2.97 - DDNF 'Username' Remote Buffer Overflow
by Craig Freyman
CVE-2013-3530 EXPLOITDB text VERIFIED
Spiffy XSPF Player plugin 0.1 - SQL Injection via playlist_id Parameter
SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter.
by Ashiyane Digital Security Team
CVE-2013-0632 EXPLOITDB CRITICAL ruby VERIFIED
Adobe ColdFusion 9.0-9.0.2, 10 - Unauthenticated Authentication Bypass and Remote Code Execution via RDS Component
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.
by Metasploit
CVSS 9.8
CVE-2013-2649 EXPLOITDB text VERIFIED
Hero Framework - '/users/forgot_password?error' Cross-Site Scripting
by High-Tech Bridge
CVE-2013-2649 EXPLOITDB text VERIFIED
Hero Framework - '/users/forgot_password?error' Cross-Site Scripting
by High-Tech Bridge
EIP-2026-101351 EXPLOITDB ruby VERIFIED
Linksys WRT54GL - 'apply.cgi' Command Execution (Metasploit)
by Metasploit
EIP-2026-116370 EXPLOITDB ruby VERIFIED
Sysax Multi Server 6.10 - SSH Denial of Service
by Matt Andreko
CVE-2013-3050 EXPLOITDB text VERIFIED
ZAPms < 1.41 - SQL Injection via Product PID Parameter
SQL injection vulnerability in ZAPms 1.41 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter to product.
by NoGe
CVE-2013-3526 EXPLOITDB text VERIFIED
Trafficanalyzer - XSS
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.
by Beni_Vanda
CVE-2013-1937 EXPLOITDB MEDIUM text VERIFIED
phpMyAdmin < 3.5.8 - Cross-Site Scripting via visualizationSettings Parameters
Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable.
by waraxe
CVSS 6.1
EIP-2026-106729 EXPLOITDB text VERIFIED
EasyPHP - '/index.php' Authentication Bypass / Remote PHP Code Injection
by KedAns-Dz
EIP-2026-101283 EXPLOITDB text VERIFIED
Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities
by shekyan
CVE-2013-10061 EXPLOITDB HIGH ruby VERIFIED
Netgear routers <1.1.00.45 - Command Injection
An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN1000B model firmware versions 1.1.00.24 and 1.1.00.45) via the TimeToLive parameter in the setup.cgi endpoint. The vulnerability arises from improper input neutralization, enabling command injection through crafted POST requests. This flaw enables remote attackers to deploy payloads or manipulate system state post-authentication.
by Metasploit
CVSS 7.2
CVE-2013-2760 EXPLOITDB text VERIFIED
Groovy Media Player 3.2.0 - Remote Code Execution via Long String in .m3u File
Buffer overflow in Groovy Media Player 3.2.0 allows remote attackers to execute arbitrary code via a long string in a .m3u file.
by Akshaysinh Vaghela
CVE-2013-3536 EXPLOITDB text
WHMCS Group Pay < 1.5 - SQL Injection via Hash Parameter
SQL injection vulnerability in the gp_LoadUserFromHash function in functions_hash.php in the Group Pay module 1.5 and earlier for WHMCS allows remote attackers to execute arbitrary SQL commands via the hash parameter.
by HJauditing Employee Tim
CVE-2013-3527 EXPLOITDB text
Vanilla Forums < 2.0.18.8 - SQL Injection via Form/Email Parameter
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
by bl4ckw0rm
EIP-2026-110261 EXPLOITDB text VERIFIED
OpenCart - Cross-Site Request Forgery (Change User Password)
by Saadi Siddiqui
CVE-2013-2637 EXPLOITDB MEDIUM text VERIFIED
OTRS FAQ < 2.0.8 and OTRS ITSM < 3.0.7 - Cross-Site Scripting via Changes, Workorder Items, and FAQ Articles
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.
by Luigi Vezzoso
CVSS 6.1
CVE-2013-1080 EXPLOITDB ruby VERIFIED
Novell ZENworks Configuration Management < 11.2.4 - Directory Traversal & Arbitrary File Upload
The web server in Novell ZENworks Configuration Management (ZCM) 10.3 and 11.2 before 11.2.4 does not properly perform authentication for zenworks/jsp/index.jsp, which allows remote attackers to conduct directory traversal attacks, and consequently upload and execute arbitrary programs, via a request to TCP port 443.
by Metasploit