Exploitdb Exploits

50,095 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-105172 EXPLOITDB html VERIFIED
Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities
by Gjoko Krstic
CVE-2008-5499 EXPLOITDB ruby VERIFIED
Adobe Flash Player ActionScript Launch Command Execution Vulnerability
Unspecified vulnerability in Adobe Flash Player for Linux 10.0.12.36, and 9.0.151.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file.
by Metasploit
CVE-2012-1260 EXPLOITDB MEDIUM text VERIFIED
Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204-9.0.1.19899 - Cross-Site Scripting via newUser Parameter
Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script.
by Trustwave's SpiderLabs
CVSS 6.1
CVE-2012-1259 EXPLOITDB CRITICAL text VERIFIED
Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204-9.0.1.19899 - SQL Injection via Multiple CGI Parameters
Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter.
by Trustwave's SpiderLabs
CVSS 9.8
CVE-2012-1258 EXPLOITDB MEDIUM text VERIFIED
Scrutinizer NetFlow & sFlow Analyzer < 9.0.1.19899 - Unauthenticated Privilege Escalation via User Preferences CGI
cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters.
by Trustwave's SpiderLabs
CVSS 6.5
CVE-2012-1935 EXPLOITDB text VERIFIED
Newscoop 3.5.x < 3.5.5 and 4.x < 4 RC4 - Cross-Site Scripting via Back Parameter or Token/Email Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Newscoop 3.5.x before 3.5.5 and 4.x before 4 RC4 allow remote attackers to inject arbitrary web script or HTML via the (1) Back parameter to admin/ad.php, or the (2) token or (3) f_email parameter to admin/password_check_token.php.
by High-Tech Bridge SA
CVE-2012-1934 EXPLOITDB text VERIFIED
Newscoop - SQL Injection via f_country_code Parameter
SQL injection vulnerability in admin/country/edit.php in Newscoop before 3.5.5 and 4.x before 4 RC4 allows remote attackers to execute arbitrary SQL commands via the f_country_code parameter.
by High-Tech Bridge SA
CVE-2012-1933 EXPLOITDB text VERIFIED
Newscoop 3.5.x < 3.5.5 and 4 < RC4 - Remote Code Execution via GLOBALS[g_campsiteDir] Parameter
Multiple PHP remote file inclusion vulnerabilities in Newscoop 3.5.x before 3.5.5 and 4 before RC4, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[g_campsiteDir] parameter to (1) include/phorum_load.php, (2) conf/install_conf.php, or (3) conf/liveuser_configuration.php.
by High-Tech Bridge SA
CVE-2012-4329 EXPLOITDB text VERIFIED
Samsung D6000 Firmware - Denial of Service via Crafted Controller Name
The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart) via a crafted controller name.
by Luigi Auriemma
CVE-2012-2110 EXPLOITDB text VERIFIED
OpenSSL < 0.9.8v, 1.0.0 < 1.0.0i, 1.0.1 < 1.0.1a - Buffer Overflow via Crafted DER Data
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
by Tavis Ormandy
CVE-2012-2396 EXPLOITDB text
VideoLAN VLC media player <2.0.1 - DoS
VideoLAN VLC media player 2.0.1 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted MP4 file.
by Senator of Pirates
CVE-2011-1249 EXPLOITDB c
Microsoft Windows - Local Privilege Escalation via AFD.sys Input Validation
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
by fb1h2s
CVE-2012-0984 EXPLOITDB text VERIFIED
XOOPS < 2.5.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
by High-Tech Bridge SA
CVE-2012-4679 EXPLOITDB text VERIFIED
Newscoop < 3.5.5 - Cross-Site Scripting via f_user_name Parameter
Cross-site scripting (XSS) vulnerability in admin/login.php in Newscoop before 3.5.5 allows remote attackers to inject arbitrary web script or HTML via the f_user_name parameter.
by High-Tech Bridge SA
CVE-2012-1261 EXPLOITDB MEDIUM text VERIFIED
Scrutinizer NetFlow & sFlow Analyzer < 8.6.2.16204 - Cross-Site Scripting via Standalone Parameter
Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter.
by Trustwave's SpiderLabs
CVSS 6.1
CVE-2012-1593 EXPLOITDB text VERIFIED
Wireshark 1.4.x < 1.4.12 and 1.6.x < 1.6.6 - Denial of Service via Malformed ANSI A Packet
epan/dissectors/packet-ansi_a.c in the ANSI A dissector in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet.
by Wireshark
CVE-2012-2131 EXPLOITDB text VERIFIED
OpenSSL 0.9.8v - Buffer Overflow via Crafted DER Data
Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.
by Tavis Ormandy
EIP-2026-103534 EXPLOITDB php
LibreOffice 3.5.2.2 - Memory Corruption
by shinnai
CVE-2012-4330 EXPLOITDB text VERIFIED
Samsung D6000 Firmware - Denial of Service via Long MAC Address Field
The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long string in certain fields, as demonstrated by the MAC address field, possibly a buffer overflow.
by Luigi Auriemma
EIP-2026-117255 EXPLOITDB ruby VERIFIED
GSM SIM Editor 5.15 - Local Buffer Overflow (Metasploit)
by Metasploit
CVE-2011-5171 EXPLOITDB ruby VERIFIED
CyberLink Power2Go 7 build 196 and 8 build 1031 - Remote Code Execution via Crafted Project File Parameters
Multiple stack-based buffer overflows in CyberLink Power2Go 7 (build 196) and 8 (build 1031) allow remote attackers to execute arbitrary code via the (1) src and (2) name parameters in a p2g project file.
by Metasploit
CVE-2012-0984 EXPLOITDB text VERIFIED
XOOPS < 2.5.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
by High-Tech Bridge SA
CVE-2012-0984 EXPLOITDB text VERIFIED
XOOPS < 2.5.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
by High-Tech Bridge SA
CVE-2012-2270 EXPLOITDB text VERIFIED
owncloud < 3.0.3 - Open Redirect via Login Page redirect_url Parameter
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
by Tobias Glemser
EIP-2026-104602 EXPLOITDB python
Microsoft Office 2008 SP0 (Mac) - RTF pFragments
by Abhishek Lyall