Exploitdb Exploits
50,095 exploits tracked across all sources.
phpVideoPro 0.8.x/0.9.7 - Multiple Cross-Site Scripting Vulnerabilities
by Stefan Schurtz
PHPDomainRegister 0.4a-RC2-dev - Multiple Vulnerabilities
by Or4nG.M4N
PHP Membership Site Manager Script 2.1 - 'index.php' Cross-Site Scripting
by Atmon3r
Giveaway Manager - 'members.php' Cross-Site Scripting
by Am!r
BoltWire 3.4.16 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
by Stefan Schurtz
Beehive Forum 1.0.1 - Cross-Site Scripting via PATH_INFO to forum/register.php or forum/logon.php
Multiple cross-site scripting (XSS) vulnerabilities in Beehive Forum 1.0.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) forum/register.php or (2) forum/logon.php.
by Stefan Schurtz
ATutor < 2.1 - Cross-Site Scripting via PATH_INFO
Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php.
by Stefan Schurtz
Annuaire PHP - Cross-Site Scripting via referencement/sites_inscription.php url Parameter
Cross-site scripting (XSS) vulnerability in referencement/sites_inscription.php in Annuaire PHP allows remote attackers to inject arbitrary web script or HTML via the url parameter and possibly the nom parameter.
by Atmon3r
PHP Ringtone Website - 'ringtones.php' Multiple Cross-Site Scripting Vulnerabilities
by Atmon3r
Cloupia End-to-end FlexPod Management - Directory Traversal
by Chris Rock
XAMPP < 1.7.3 - Authenticated Remote Code Execution via WebDAV PHP Upload
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.
by Metasploit
PHP 5.3.8 - Denial of Service via zend_strndup Return Value Mismanagement
PHP 5.3.8 does not always check the return value of the zend_strndup function, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c.
by Maksymilian Arciemowicz
Microsoft Internet Explorer 6.0.2900.2180 and 6.0.2800.1106 - Remote Code Execution via JavaScript BODY onload Event
Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
by Metasploit
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability."
by Byoungyoung Lee
Adobe Acrobat and Reader < 10.1.1 - Remote Code Execution via U3D Memory Corruption
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
by Metasploit
CVSS 9.8
WordPress Plugin Evarisk - 'uploadPhotoApres.php' Arbitrary File Upload
by Sammy FORGIT
phpMyAdmin <3.4.7.1 & <3.3.10.5 - XXE Injection
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
by Marco Batista
CVSS 6.5
PHP 5.3.8 - Denial of Service via Tidy::diagnose NULL Pointer Dereference
The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153.
by Maksymilian Arciemowicz
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
by Metasploit
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
by Metasploit
Tine 2.0 - Maischa Multiple Cross-Site Scripting Vulnerabilities
by Vulnerability-Lab
MailEnable < 4.26, 5.x < 5.53, 6.x < 6.03 - Cross-Site Scripting via ForgottenPassword.aspx Username Parameter
Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers to inject arbitrary web script or HTML via the Username parameter.
by Sajjad Pourali
Count Per Day < 3.1.1 - Cross-Site Scripting via Map Parameter
Cross-site scripting (XSS) vulnerability in map/map.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map parameter.
by 6Scan
By Source