Exploitdb Exploits
50,095 exploits tracked across all sources.
BrowserCRM < 5.100.01 - Cross-Site Scripting via PATH_INFO or Login Parameter
Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.
by High-Tech Bridge SA
BrowserCRM < 5.100.01 - Cross-Site Scripting via PATH_INFO or Login Parameter
Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.
by High-Tech Bridge SA
BrowserCRM < 5.100.01 - SQL Injection via login[username] or parent_id or contact_id Parameter
Multiple SQL injection vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login[username] parameter to index.php, (2) parent_id parameter to modules/Documents/version_list.php, or (3) contact_id parameter to modules/Documents/index.php.
by High-Tech Bridge SA
BrowserCRM < 5.100.01 - Cross-Site Scripting via PATH_INFO or Login Parameter
Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.
by High-Tech Bridge SA
Nagios XI - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities
by anonymous
Traq Project Issue Tracking System 2.0-2.3 - Unauthenticated Remote Code Execution via Admin Plugin Injection
Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization logic fails to halt execution after a failed access check, allowing unauthenticated users to reach admin-only functionality. This can be exploited via plugins.php to inject and execute arbitrary PHP code.
by Metasploit
3S CoDeSys < 3.4 - Remote Code Execution via Long URI to CmpWebServer
Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080.
by Metasploit
WordPress Plugin flash-album-gallery - 'flagshow.php' Cross-Site Scripting
by Am!r
Opera < 11.60 - Certificate Revocation Handling Issue
Opera before 11.60 does not properly handle certificate revocation, which has unspecified impact and remote attack vectors related to "corner cases."
by anonymous
WordPress Plugin GRAND FlAGallery 1.57 - 'flagshow.php' Cross-Site Scripting
by Am!r
zFTPServer Suite 6.0.0.52 - Authenticated Path Traversal via RMD Command
Directory traversal vulnerability in zFTPServer Suite 6.0.0.52 allows remote authenticated users to delete arbitrary directories via a crafted RMD (aka rmdir) command.
by Stefan Schurtz
WordPress Plugin UPM Polls 1.0.4 - Blind SQL Injection
by Saif
FCMS CMS 2.7.2 - Multiple Cross-Site Request Forgery Vulnerabilities
by Ahmed Elhady Mohamed
Family Connections CMS < 2.9.0 - Cross-Site Request Forgery via News or Prayer Add Action
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an add action to prayers.php.
by Ahmed Elhady Mohamed
CVSS 8.8
acpid2 < 2.0.16 - Privilege Escalation via pidof Mismanagement
samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier uses the pidof program incorrectly, which allows local users to gain privileges by running a program with the name kded4 and a DBUS_SESSION_BUS_ADDRESS environment variable containing commands.
by otr
CyberLink Power2Go 7 build 196 and 8 build 1031 - Remote Code Execution via Crafted Project File Parameters
Multiple stack-based buffer overflows in CyberLink Power2Go 7 (build 196) and 8 (build 1031) allow remote attackers to execute arbitrary code via the (1) src and (2) name parameters in a p2g project file.
by modpr0be
Pet Listing - 'preview.php' Cross-Site Scripting
by Mr.PaPaRoSSe
DoceboLMS < 4.0.4 - Authenticated SQL Injection via coursereportuiconfig Parameters
Multiple SQL injection vulnerabilities in the save_connection function in lib/lib.iotask.php in the iotask module in DoceboLMS 4.0.4 and earlier allow remote authenticated users with admin or teacher privileges to execute arbitrary SQL commands via the (1) coursereportuiconfig[name] or (2) coursereportuiconfig[description] parameters to index.php.
by mr_me
ConfigServer Security & Firewall < 5.43 - Stack-Based Buffer Overflow via Admin List File
Stack-based buffer overflow in CFS.c in ConfigServer Security & Firewall (CSF) before 5.43, when running on a DirectAdmin server, allows local users to cause a denial of service (crash) via a long string in an admin.list file.
by FoX HaCkEr
GIGAPOD OfficeHard <3.04.03, GIGAPOD 2010/3 <3.01.02 - DoS via Apache HTTP Request Handling
GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation.
8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests (CVE-2011-3192), which may lead to a denial-of-service (DoS) condition.
by Ramon de C Valle
CVSS 7.5
By Source