Exploitdb Exploits

50,095 exploits tracked across all sources.

Sort: Activity Stars
CVE-2012-2234 EXPLOITDB text VERIFIED
TeamPass < 2.1.6 - Authenticated Cross-Site Scripting via Login Parameter
Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action.
by Marcos Garcia
EIP-2026-108687 EXPLOITDB text VERIFIED
Joomla! Component JA T3 Framework - Directory Traversal
by indoushka
CVE-2012-4745 EXPLOITDB text VERIFIED
Acuity CMS 2.6.2 - Cross-Site Scripting via UserName Parameter
Cross-site scripting (XSS) vulnerability in admin/login.asp in Acuity CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the UserName parameter.
by Aung Khant
EIP-2026-114284 EXPLOITDB text VERIFIED
WordPress Plugin Yahoo Answer - Multiple Cross-Site Scripting Vulnerabilities
by Ryuzaki Lawlet
EIP-2026-108913 EXPLOITDB text VERIFIED
Joomla! Plugin Beatz 1.1 - Multiple Cross-Site Scripting Vulnerabilities
by Aung Khant
EIP-2026-105483 EXPLOITDB text VERIFIED
Bioly 1.3 - '/index.php' Cross-Site Scripting / SQL Injection
by T0xic
EIP-2026-103981 EXPLOITDB python VERIFIED
McAfee Web Gateway 7.1.5.x - 'Host' HTTP Header Security Bypass
by Gabriel Menezes Nunes
EIP-2026-111969 EXPLOITDB text VERIFIED
Seditio CMS 165 - 'plug.php' SQL Injection
by AkaStep
EIP-2026-109897 EXPLOITDB php VERIFIED
NetworX CMS - Cross-Site Request Forgery (Add Admin)
by N3t.Crack3r
EIP-2026-109388 EXPLOITDB text
MediaXxx Adult Video / Media Script - SQL Injection
by Daniel Godoy
EIP-2026-108487 EXPLOITDB text VERIFIED
Joomla! Component com_ponygallery - SQL Injection
by xDarkSton3x
EIP-2026-104329 EXPLOITDB text
ManageEngine Support Center Plus 7903 - Multiple Vulnerabilities
by xistence
CVE-2012-0278 EXPLOITDB text VERIFIED
IrfanView <4.3.4.0 - Buffer Overflow
Heap-based buffer overflow in the FlashPix PlugIn before 4.3.4.0 for IrfanView might allow remote attackers to execute arbitrary code via a .fpx file containing a crafted FlashPix image that is not properly handled during decompression.
by Francis Provencher
CVE-2011-4828 EXPLOITDB ruby VERIFIED
AutoSec Tools V-CMS 1.0 - Remote Code Execution via Unrestricted File Upload in Inline Image Upload
Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/.
by Metasploit
CVE-2012-5896 EXPLOITDB ruby VERIFIED
Quest InTrust < 10.4.0.853 - Remote Code Execution via Annotation Objects ActiveX Control
The Annotation Objects Extension ActiveX control in AnnotateX.dll in Quest InTrust 10.4.0.853 and earlier does not properly implement the Add method, which allows remote attackers to execute arbitrary code via a memory address in the first argument, related to an "uninitialized pointer."
by Metasploit
EIP-2026-112938 EXPLOITDB text
Ushahidi 2.2 - Multiple Vulnerabilities
by shpendk
CVE-2012-2226 EXPLOITDB CRITICAL text
Invision Power Board < 3.3.1 - Unauthenticated Arbitrary File Upload
Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.
by waraxe
CVSS 9.8
CVE-2012-2104 EXPLOITDB text VERIFIED
Munin 2.x - Remote Code Execution via Terminal Emulator Escape Sequence Injection
cgi-bin/munin-cgi-graph in Munin 2.x writes data to a log file without sanitizing non-printable characters, which might allow user-assisted remote attackers to inject terminal emulator escape sequences and execute arbitrary commands or delete arbitrary files via a crafted HTTP request.
by Helmut Grohne
CVE-2012-2276 EXPLOITDB text VERIFIED
EMC Documentum Information Rights Management - Denial of Service via Invalid FIPS Fields or Version Number
The IRM Server in EMC Documentum Information Rights Management 4.x before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via input data that (1) lacks FIPS fields or (2) has an invalid version number.
by Luigi Auriemma
EIP-2026-112338 EXPLOITDB text VERIFIED
SoftwareDEP Classified Script 2.5 - SQL Injection (2)
by hordcode security
CVE-2012-2095 EXPLOITDB python VERIFIED
WICD < 1.7.2 - Unauthenticated Privilege Escalation via D-Bus SetWiredProperty
The SetWiredProperty function in the D-Bus interface in WICD before 1.7.2 allows local users to write arbitrary configuration settings and gain privileges via a crafted property name in a dbus message.
by anonymous
CVE-2012-2277 EXPLOITDB text VERIFIED
EMC Documentum Information Rights Management 4.x-5.x - Denial of Service via Newline in Batch Begin Untethered Command
The IRM Server in EMC Documentum Information Rights Management 4.x before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to cause a denial of service (pvcontrol.exe process hang) via \n (line feed) characters in the Id fields of many "batch begin untethered" commands.
by Luigi Auriemma
CVE-2012-1835 EXPLOITDB text VERIFIED
All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
by High-Tech Bridge SA
CVE-2012-1835 EXPLOITDB text VERIFIED
All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
by High-Tech Bridge SA
CVE-2012-1835 EXPLOITDB text VERIFIED
All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
by High-Tech Bridge SA