Max CVSS 10.0 Min CVSS 1.9 Total Count6588
IDCVSSSummaryLast (major) updatePublished
CVE-2018-1002009 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002008 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variabl
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002007 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST reque
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002006 None
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002005 None
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002004 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002003 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002002 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002001 None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002000 None
There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST req
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-15716 None
NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root.
30-11-2018 - 15:29 30-11-2018 - 15:29
CVE-2018-19752 None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19751 None
DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19750 None
DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19749 None
DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-18619 None
internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute th
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19458 None
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
22-11-2018 - 15:29 22-11-2018 - 15:29
CVE-2018-18774 4.3
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
20-11-2018 - 14:29 20-11-2018 - 14:29
CVE-2018-18773 6.8
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
20-11-2018 - 14:29 20-11-2018 - 14:29
CVE-2018-18772 6.8
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
20-11-2018 - 14:29 20-11-2018 - 14:29
CVE-2018-18805 None
PointOfSales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18804 None
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18803 None
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18801 None
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18799 None
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18797 None
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18795 None
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18794 None
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18793 None
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18763 None
SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18761 None
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18760 None
RhinOS 3.0 build 1190 allows CSRF.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18755 None
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-19287 None
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
15-11-2018 - 01:29 15-11-2018 - 01:29
CVE-2018-19246 None
PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the
13-11-2018 - 04:29 13-11-2018 - 04:29
CVE-2018-19135 None
ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatic
10-11-2018 - 23:29 10-11-2018 - 23:29
CVE-2018-19136 None
DomainMOD through 4.11.01 has XSS via the assets/edit/registrar-account.php raid parameter.
09-11-2018 - 14:29 09-11-2018 - 14:29
CVE-2018-18924 None
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image
04-11-2018 - 01:29 04-11-2018 - 01:29
CVE-2018-18548 4.3
ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager.
24-10-2018 - 17:29 24-10-2018 - 17:29
CVE-2018-18419 3.5
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
19-10-2018 - 18:29 19-10-2018 - 18:29
CVE-2018-18417 3.5
In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
19-10-2018 - 18:29 19-10-2018 - 18:29
CVE-2018-18416 3.5
LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.
19-10-2018 - 18:29 19-10-2018 - 18:29
CVE-2015-4633 7.5
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2015-4632 None
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2015-4631 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2015-4630 6.0
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests th
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2018-18308 4.3
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
16-10-2018 - 18:29 16-10-2018 - 18:29
CVE-2018-18324 4.3
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor
15-10-2018 - 03:29 15-10-2018 - 03:29
CVE-2018-18323 5.0
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.
15-10-2018 - 03:29 15-10-2018 - 03:29
CVE-2018-18322 7.5
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
15-10-2018 - 03:29 15-10-2018 - 03:29
CVE-2018-9206 None
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
11-10-2018 - 11:29 11-10-2018 - 11:29
CVE-2018-17784 4.3
Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
10-10-2018 - 17:29 10-10-2018 - 17:29
CVE-2018-17443 4.3
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'sitename' parameter of the UpdateSite endpoint is vulnerable to stored XSS.
08-10-2018 - 12:29 08-10-2018 - 12:29
CVE-2018-17442 6.5
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code.
08-10-2018 - 12:29 08-10-2018 - 12:29
CVE-2018-17441 4.3
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'username' parameter of the addUser endpoint is vulnerable to stored XSS.
08-10-2018 - 12:29 08-10-2018 - 12:29
CVE-2018-17440 7.5
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker c
08-10-2018 - 12:29 08-10-2018 - 12:29
CVE-2018-17553 6.5
An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../..
03-10-2018 - 16:29 03-10-2018 - 16:29
CVE-2018-17552 7.5
SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.
03-10-2018 - 16:29 03-10-2018 - 16:29
CVE-2018-17428 7.5
An issue was discovered in OPAC EasyWeb Five 5.7. There is SQL injection via the w2001/index.php?scelta=campi biblio parameter.
03-10-2018 - 16:29 03-10-2018 - 16:29
CVE-2018-17832 4.3
XSS exists in WUZHI CMS 2.0 via the index.php v or f parameter.
01-10-2018 - 04:29 01-10-2018 - 04:29
CVE-2018-17397 7.5
SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17394 7.5
SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17391 7.5
SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via the author parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17385 7.5
SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17384 7.5
SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17383 7.5
SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17382 7.5
SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17380 7.5
SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17379 7.5
SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17378 7.5
SQL Injection exists in the Penny Auction Factory 2.0.4 component for Joomla! via the filter_order_Dir or filter_order parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17377 7.5
SQL Injection exists in the Questions 1.4.3 component for Joomla! via the term, userid, users, or groups parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17376 7.5
SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-17375 7.5
SQL Injection exists in the Music Collection 3.0.3 component for Joomla! via the id parameter.
27-09-2018 - 20:29 27-09-2018 - 20:29
CVE-2018-16299 5.0
The Localize My Post plugin 1.0 for WordPress allows Directory Traversal via the ajax/include.php file parameter.
24-09-2018 - 18:29 24-09-2018 - 18:29
CVE-2018-16283 7.5
The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter.
24-09-2018 - 18:29 24-09-2018 - 18:29
CVE-2018-14592 7.5
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
20-09-2018 - 16:29 20-09-2018 - 16:29
CVE-2018-17255 4.3
Navigate CMS 2.8 has Reflected XSS via the navigate.php fid parameter.
20-09-2018 - 10:29 20-09-2018 - 10:29
CVE-2018-17254 7.5
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
20-09-2018 - 10:29 20-09-2018 - 10:29
CVE-2018-17140 3.5
The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php.
17-09-2018 - 02:29 17-09-2018 - 02:29
CVE-2018-17138 3.5
The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field.
17-09-2018 - 02:29 17-09-2018 - 02:29
CVE-2018-17128 3.5
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
17-09-2018 - 00:29 17-09-2018 - 00:29
CVE-2018-17110 7.5
Simple POS 4.0.24 allows SQL Injection via a products/get_products/ columns[0][search][value] parameter in the management panel, as demonstrated by products/get_products/1.
17-09-2018 - 00:29 17-09-2018 - 00:29
CVE-2018-1756 5.0
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-For
07-09-2018 - 11:29 07-09-2018 - 11:29
CVE-2018-15918 5.5
An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate or enddate parameter to lea
05-09-2018 - 17:29 05-09-2018 - 17:29
CVE-2018-15917 3.5
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
05-09-2018 - 17:29 05-09-2018 - 17:29
CVE-2018-15596 4.3
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the gen
28-08-2018 - 15:29 28-08-2018 - 15:29
CVE-2018-15877 9.0
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.
26-08-2018 - 03:29 26-08-2018 - 03:29
CVE-2018-15845 6.8
There is a CSRF vulnerability that can add an administrator account in Gleez CMS 1.2.0 via admin/users/add.
25-08-2018 - 17:29 25-08-2018 - 17:29
CVE-2018-15844 6.8
An issue was discovered in DamiCMS 6.0.0. There is an CSRF vulnerability that can revise the administrator account's password via /admin.php?s=/Admin/doedit.
25-08-2018 - 17:29 25-08-2018 - 17:29
CVE-2018-15576 6.8
An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key.
25-08-2018 - 06:29 24-08-2018 - 17:29
CVE-2018-14059 3.5
Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes function
25-08-2018 - 06:29 24-08-2018 - 18:29
CVE-2018-15536 5.8
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal
24-08-2018 - 15:29 24-08-2018 - 15:29
CVE-2018-15535 5.0
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve
24-08-2018 - 15:29 24-08-2018 - 15:29
CVE-2018-14058 4.0
Pimcore before 5.3.0 allows SQL Injection via the REST web service API.
17-08-2018 - 14:29 17-08-2018 - 14:29
CVE-2018-14057 6.8
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
17-08-2018 - 14:29 17-08-2018 - 14:29
CVE-2018-14888 4.3
inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.
14-08-2018 - 14:29 14-08-2018 - 14:29
CVE-2018-14869 3.5
PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile.
07-08-2018 - 21:29 06-08-2018 - 17:29
CVE-2018-14417 10.0
A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacke
04-08-2018 - 21:29 03-08-2018 - 21:29
CVE-2018-14840 4.3
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
01-08-2018 - 21:29 01-08-2018 - 21:29
CVE-2018-14418 7.5
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
19-07-2018 - 21:29 19-07-2018 - 21:29
CVE-2018-7602 7.5
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability
19-07-2018 - 13:29 19-07-2018 - 13:29
CVE-2018-14392 4.3
The New Threads plugin before 1.2 for MyBB has XSS.
18-07-2018 - 22:29 18-07-2018 - 22:29
CVE-2018-13832 3.5
Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text,
16-07-2018 - 16:29 16-07-2018 - 16:29
CVE-2018-13981 7.5
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated remote code execution due to a default component that permits arbitrary upload of PHP files, because the formmailer widget blocks .php files b
16-07-2018 - 10:29 16-07-2018 - 10:29
CVE-2018-13980 2.1
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
16-07-2018 - 10:29 16-07-2018 - 10:29
CVE-2018-14029 6.8
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account, as demonstrated by modifying the account's email field.
12-07-2018 - 22:29 12-07-2018 - 22:29
CVE-2018-12981 3.5
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injec
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-12980 6.5
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-12979 5.5
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-13849 4.3
edit_requests.php in yTakkar Instagram-clone through 2018-04-23 has XSS via an onmouseover payload because of an inadequate XSS protection mechanism based on preg_replace.
10-07-2018 - 14:29 10-07-2018 - 14:29
CVE-2018-13784 6.4
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
09-07-2018 - 06:29 09-07-2018 - 06:29
CVE-2018-12739 6.8
In BEESCMS 4.0, CSRF allows administrators to be added arbitrarily, a related issue to CVE-2018-10266.
05-07-2018 - 16:29 05-07-2018 - 16:29
CVE-2018-12465 9.0
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploi
29-06-2018 - 12:29 29-06-2018 - 12:29
CVE-2018-12464 7.5
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to cre
29-06-2018 - 12:29 29-06-2018 - 12:29
CVE-2018-12912 6.5
An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. There is a SQL Injection vulnerability via an admin/index.php/database/operate?dbaction=emptytable&tablename= URI.
27-06-2018 - 14:29 27-06-2018 - 14:29
CVE-2018-12908 5.0
Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for the /dashboard/deposit URI, as demonstrated by discovering database credentials.
27-06-2018 - 12:29 27-06-2018 - 12:29
CVE-2018-12603 6.8
Cross-site request forgery (CSRF) vulnerability in admin.php in LFCMS 3.7.0 allows remote attackers to hijack the authentication of unspecified users for requests that add administrator users via the s parameter, a related issue to CVE-2018-12114.
25-06-2018 - 16:29 25-06-2018 - 16:29
CVE-2018-12602 6.8
A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily.
25-06-2018 - 11:29 25-06-2018 - 11:29
CVE-2018-12636 6.5
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
22-06-2018 - 12:29 22-06-2018 - 12:29
CVE-2018-12613 6.5
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and
21-06-2018 - 16:29 21-06-2018 - 16:29
CVE-2018-12604 5.0
GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.
20-06-2018 - 15:29 20-06-2018 - 15:29
CVE-2018-12519 4.0
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's
19-06-2018 - 17:29 19-06-2018 - 17:29
CVE-2018-11526 6.8
The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
19-06-2018 - 15:29 19-06-2018 - 15:29
CVE-2018-11525 6.8
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
19-06-2018 - 15:29 19-06-2018 - 15:29
CVE-2015-4664 7.5
An improper input validation vulnerability in CA Privileged Access Manager 2.4.4.4 and earlier allows remote attackers to execute arbitrary commands.
18-06-2018 - 14:29 18-06-2018 - 14:29
CVE-2018-10969 7.5
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
17-06-2018 - 12:29 17-06-2018 - 12:29
CVE-2018-12114 6.8
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
14-06-2018 - 13:29 14-06-2018 - 13:29
CVE-2018-12254 6.5
router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI.
12-06-2018 - 13:29 12-06-2018 - 13:29
CVE-2018-12111 4.3
Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webinterface allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /wt3/mydocs.php URI.
11-06-2018 - 09:29 11-06-2018 - 09:29
CVE-2018-12095 3.5
A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
11-06-2018 - 07:29 11-06-2018 - 07:29
CVE-2018-12094 3.5
Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS Version 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
11-06-2018 - 07:29 11-06-2018 - 07:29
CVE-2018-12055 7.5
Multiple SQL Injections exist in PHP Scripts Mall Schools Alert Management Script via crafted POST data in contact_us.php, faq.php, about.php, photo_gallery.php, privacy.php, and so on.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-12054 5.0
Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-12053 6.4
Arbitrary File Deletion exists in PHP Scripts Mall Schools Alert Management Script via the img parameter in delete_img.php by using directory traversal.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-12052 7.5
SQL Injection exists in PHP Scripts Mall Schools Alert Management Script via the q Parameter in get_sec.php.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-11715 3.5
The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.
04-06-2018 - 13:29 04-06-2018 - 13:29
CVE-2018-11564 3.5
Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and
01-06-2018 - 21:29 01-06-2018 - 21:29
CVE-2018-11671 6.8
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle.
01-06-2018 - 13:29 01-06-2018 - 13:29
CVE-2018-11670 6.8
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect.
01-06-2018 - 13:29 01-06-2018 - 13:29
CVE-2018-11535 7.5
An issue was discovered in SITEMAKIN SLAC (Site Login and Access Control) v1.0. The parameter "my_item_search" in users.php is exploitable using SQL injection.
29-05-2018 - 03:29 29-05-2018 - 03:29
CVE-2018-11532 4.3
An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB. changstats.php has XSS, as demonstrated by a subject field.
29-05-2018 - 03:29 29-05-2018 - 03:29
CVE-2018-11512 3.5
Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name
28-05-2018 - 09:29 28-05-2018 - 09:29
CVE-2018-6411 7.5
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap
26-05-2018 - 18:29 26-05-2018 - 18:29
CVE-2018-6410 7.5
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
26-05-2018 - 18:29 26-05-2018 - 18:29
CVE-2018-6409 5.0
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerabilit
26-05-2018 - 18:29 26-05-2018 - 18:29
CVE-2018-11445 6.8
A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11444 7.5
A SQL Injection issue was observed in the parameter "q" in jobcard-ongoing.php in EasyService Billing 1.0.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11443 4.3
The parameter q is affected by Cross-site Scripting in jobcard-ongoing.php in EasyService Billing 1.0.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11442 6.8
A CSRF issue was discovered in EasyService Billing 1.0, which was triggered via a quotation-new3-new2.php?add=true&id= URI, as demonstrated by adding a new quotation.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11332 3.5
Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors
24-05-2018 - 12:29 24-05-2018 - 12:29
CVE-2018-11404 4.3
DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter.
24-05-2018 - 03:29 24-05-2018 - 03:29
CVE-2018-11403 3.5
DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter.
24-05-2018 - 03:29 24-05-2018 - 03:29
CVE-2018-10094 7.5
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
22-05-2018 - 16:29 22-05-2018 - 16:29
CVE-2018-11092 5.8
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
21-05-2018 - 10:29 21-05-2018 - 10:29
CVE-2018-10580 3.5
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
11-05-2018 - 10:29 11-05-2018 - 10:29
CVE-2015-1503 7.8
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash
08-05-2018 - 16:29 08-05-2018 - 16:29
CVE-2018-10752 3.5
The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.
04-05-2018 - 22:29 04-05-2018 - 22:29
CVE-2018-9302 6.4
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an inc
02-05-2018 - 11:29 02-05-2018 - 11:29
CVE-2018-10260 6.5
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10259 3.5
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10258 6.5
A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10257 6.5
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10256 6.5
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10255 6.5
A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10365 3.5
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
01-05-2018 - 12:29 01-05-2018 - 12:29
CVE-2018-10371 4.3
An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to
01-05-2018 - 09:29 01-05-2018 - 09:29
CVE-2018-10517 6.5
In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element.
27-04-2018 - 14:29 27-04-2018 - 14:29
CVE-2018-10504 6.8
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.
27-04-2018 - 12:29 27-04-2018 - 12:29
CVE-2018-7465 3.5
An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the backend of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser wi
26-04-2018 - 15:29 26-04-2018 - 15:29
CVE-2018-10366 4.3
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
25-04-2018 - 05:29 25-04-2018 - 05:29
CVE-2018-10310 3.5
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser
25-04-2018 - 05:29 25-04-2018 - 05:29
CVE-2018-10321 3.5
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
24-04-2018 - 02:29 24-04-2018 - 02:29
CVE-2018-10313 3.5
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-10312 6.8
index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-10311 4.3
A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-10309 3.5
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-9245 10.0
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system.
22-04-2018 - 09:29 22-04-2018 - 09:29
CVE-2018-10286 4.0
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order to be able to see t
22-04-2018 - 09:29 22-04-2018 - 09:29
CVE-2018-10285 7.5
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.
22-04-2018 - 09:29 22-04-2018 - 09:29
CVE-2018-7747 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log,
20-04-2018 - 17:29 20-04-2018 - 17:29
CVE-2018-10188 6.8
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php.
19-04-2018 - 10:29 19-04-2018 - 10:29
CVE-2018-10063 6.8
The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file.
17-04-2018 - 21:29 12-04-2018 - 15:29
CVE-2018-8736 9.0
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8735 9.0
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8734 7.5
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8733 6.4
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-10118 3.5
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
16-04-2018 - 05:58 16-04-2018 - 05:58
CVE-2018-10109 3.5
Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.
16-04-2018 - 05:58 16-04-2018 - 05:58
CVE-2018-10068 4.3
The jDownloads extension before 3.2.59 for Joomla! has XSS.
12-04-2018 - 14:29 12-04-2018 - 14:29
CVE-2018-9118 5.0
exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter.
12-04-2018 - 11:29 12-04-2018 - 11:29
CVE-2018-9038 5.5
Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
10-04-2018 - 14:29 10-04-2018 - 14:29
CVE-2017-14611 6.4
SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.
10-04-2018 - 11:29 10-04-2018 - 11:29
CVE-2018-9926 6.8
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
10-04-2018 - 02:29 10-04-2018 - 02:29
CVE-2018-9857 4.3
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to searchbyid.php (aka the "View Search By Id" screen).
09-04-2018 - 03:29 09-04-2018 - 03:29
CVE-2018-9844 4.3
The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
07-04-2018 - 03:29 07-04-2018 - 03:29
CVE-2018-9035 6.8
CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-9034 3.5
Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-8719 5.0
An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find se
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-9205 5.0
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-8814 5.8
Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-8813 4.9
Open redirect vulnerability in the login[redirect] parameter login functionality in WolfCMS 0.8.3.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-9238 4.3
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9237 3.5
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9236 3.5
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9235 4.3
iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query parameter to search.php.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9183 3.5
The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS.
02-04-2018 - 11:29 02-04-2018 - 11:29
CVE-2018-9173 4.3
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
01-04-2018 - 23:29 01-04-2018 - 23:29
CVE-2018-9172 3.5
The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.
01-04-2018 - 19:29 01-04-2018 - 19:29
CVE-2018-8908 6.8
An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will
31-03-2018 - 18:29 31-03-2018 - 18:29
CVE-2018-7600 7.5
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
29-03-2018 - 03:29 29-03-2018 - 03:29
CVE-2018-9107 6.8
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.
28-03-2018 - 00:29 28-03-2018 - 00:29
CVE-2018-9106 6.8
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.
28-03-2018 - 00:29 28-03-2018 - 00:29
CVE-2018-9092 6.8
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.
27-03-2018 - 18:29 27-03-2018 - 18:29
CVE-2018-9032 7.5
An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router (Hardware Version : A1, B1; Firmware Version : 1.02-2.06) devices potentially allows attackers to bypass SharePort Web Access Portal by directly
26-03-2018 - 23:29 26-03-2018 - 23:29
CVE-2018-7543 4.3
Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter.
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-8817 6.8
Wampserver before 3.1.3 has CSRF in add_vhost.php.
25-03-2018 - 15:29 25-03-2018 - 15:29
CVE-2018-8947 5.0
rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.
25-03-2018 - 12:29 25-03-2018 - 12:29
CVE-2018-8903 3.5
Open-AudIT Professional 2.1 allows XSS via the Name or Description field on the Credentials screen.
22-03-2018 - 17:29 22-03-2018 - 17:29
CVE-2014-4912 7.5
An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
22-03-2018 - 00:29 22-03-2018 - 00:29
CVE-2014-1665 3.5
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
20-03-2018 - 17:29 20-03-2018 - 17:29
CVE-2018-8815 3.5
Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.
20-03-2018 - 03:29 20-03-2018 - 03:29
CVE-2018-8811 6.8
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation.
20-03-2018 - 03:29 20-03-2018 - 03:29
CVE-2018-8732 3.5
Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the virtual_del parameter.
19-03-2018 - 16:29 19-03-2018 - 16:29
CVE-2018-7422 5.0
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absol
19-03-2018 - 10:29 19-03-2018 - 10:29
CVE-2018-8770 5.0
Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via generate.php, controllers/getConfigTest.php, controllers/getUpdateTest.php, controllers/postclientdataTest.php, controllers/posterrorTest.php, controllers/posteventTest.php, control
18-03-2018 - 02:29 18-03-2018 - 02:29
CVE-2014-4613 4.3
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
16-03-2018 - 13:29 16-03-2018 - 13:29
CVE-2018-8729 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
15-03-2018 - 13:29 15-03-2018 - 13:29
CVE-2018-7474 7.5
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
14-03-2018 - 10:29 14-03-2018 - 10:29
CVE-2018-1000094 6.5
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via
12-03-2018 - 21:29 12-03-2018 - 21:29
CVE-2018-7538 7.5
A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands.
12-03-2018 - 17:29 12-03-2018 - 17:29
CVE-2018-8057 7.5
A SQL Injection vulnerability exists in Western Bridge Cobub Razor 0.8.0 via the channel_name or platform parameter in a /index.php?/manage/channel/addchannel request, related to /application/controllers/manage/channel.php.
11-03-2018 - 14:29 11-03-2018 - 14:29
CVE-2018-8056 5.0
Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via an invalid channel_name parameter to /index.php?/manage/channel/addchannel or a direct request to /export.php.
11-03-2018 - 14:29 11-03-2018 - 14:29
CVE-2017-15367 7.5
Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.
07-03-2018 - 15:29 07-03-2018 - 15:29
CVE-2018-7746 4.3
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel requ
07-03-2018 - 12:29 07-03-2018 - 12:29
CVE-2018-7745 5.0
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/install/installation/createuserinfo requests, resulting in account creation.
07-03-2018 - 12:29 07-03-2018 - 12:29
CVE-2018-7737 5.0
In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by admin_footer.php or admin_footer.php.
06-03-2018 - 16:29 06-03-2018 - 16:29
CVE-2018-7736 4.3
In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter.
06-03-2018 - 16:29 06-03-2018 - 16:29
CVE-2018-7653 4.3
In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter.
04-03-2018 - 14:29 04-03-2018 - 14:29
CVE-2018-7584 7.5
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This
01-03-2018 - 14:29 01-03-2018 - 14:29
CVE-2015-4117 6.5
Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php.
28-02-2018 - 17:29 28-02-2018 - 17:29
CVE-2018-7477 7.5
SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.
28-02-2018 - 02:29 28-02-2018 - 02:29
CVE-2018-7490 5.0
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
26-02-2018 - 17:29 26-02-2018 - 17:29
CVE-2018-7448 8.5
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
26-02-2018 - 12:29 26-02-2018 - 12:29
CVE-2017-18195 5.0
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvI
26-02-2018 - 12:29 26-02-2018 - 12:29
CVE-2018-7466 6.0
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
25-02-2018 - 02:29 25-02-2018 - 02:29
CVE-2018-7319 7.5
SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7318 7.5
SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7317 5.0
Backup Download exists in the Proclaim 9.1.1 component for Joomla! via a direct request for a .sql file under backup/.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7316 7.5
Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7315 7.5
SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7314 7.5
SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7312 7.5
SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7313 7.5
SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter.
22-02-2018 - 09:29 22-02-2018 - 09:29
CVE-2017-16356 4.3
Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or captio
20-02-2018 - 10:29 20-02-2018 - 10:29
CVE-2018-6024 7.5
SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter.
18-02-2018 - 15:29 18-02-2018 - 15:29
CVE-2018-7198 4.3
October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page.
17-02-2018 - 22:29 17-02-2018 - 22:29
CVE-2018-7180 7.5
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7179 7.5
SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7178 7.5
SQL Injection exists in the Saxum Picker 3.2.10 component for Joomla! via the publicid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7177 7.5
SQL Injection exists in the Saxum Numerology 3.0.4 component for Joomla! via the publicid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6585 7.5
SQL Injection exists in the JTicketing 2.0.16 component for Joomla! via a view=events action with a filter_creator or filter_events_cat parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6584 7.5
SQL Injection exists in the DT Register 3.2.7 component for Joomla! via a task=edit&id= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6583 7.5
SQL Injection exists in the Timetable Responsive Schedule 1.5 component for Joomla! via a view=event&alias= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6396 7.5
SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6394 7.5
SQL Injection exists in the InviteX 3.0.5 component for Joomla! via the invite_type parameter in a view=invites action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6373 7.5
SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6372 7.5
SQL Injection exists in the JB Bus 2.3 component for Joomla! via the order_number parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6370 7.5
SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via the (1) PATH_INFO or (2) name of a .html file under the all-offers/ URI.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6368 7.5
SQL Injection exists in the JomEstate PRO through 3.7 component for Joomla! via the id parameter in a task=detailed action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6006 7.5
SQL Injection exists in the JS Autoz 1.0.9 component for Joomla! via the vtype, pre, or prs parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6005 7.5
SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6004 7.5
SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5994 7.5
SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the zipcode parameter in a newest-jobs request, or the ta parameter in a view_resume request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5993 7.5
SQL Injection exists in the Aist through 2.0 component for Joomla! via the id parameter in a view=showvacancy request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5992 7.5
SQL Injection exists in the Staff Master through 1.0 RC 1 component for Joomla! via the name parameter in a view=staff request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5991 7.5
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5990 7.5
SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5989 7.5
SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5987 7.5
SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action, the uid pa
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5983 7.5
SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joomla! via a task=refresh&sid= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5982 7.5
SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5981 7.5
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5980 7.5
SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5975 7.5
SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5974 7.5
SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5971 7.5
SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5970 7.5
SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7176 6.8
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
15-02-2018 - 23:29 15-02-2018 - 23:29
CVE-2018-6928 7.5
PHP Scripts Mall News Website Script 2.0.4 has SQL Injection via a search term.
13-02-2018 - 12:29 13-02-2018 - 12:29
CVE-2018-6889 6.5
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6888 6.0
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6845 4.3
PHP Scripts Mall Multi Language Olx Clone Script 2.0.6 has XSS via the Leave Comment field.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6180 5.0
A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts.
08-02-2018 - 18:29 08-02-2018 - 18:29
CVE-2018-6389 5.0
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many
06-02-2018 - 12:29 06-02-2018 - 12:29
CVE-2018-6610 5.0
Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request.
05-02-2018 - 17:29 05-02-2018 - 17:29
CVE-2018-6609 7.5
SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.
05-02-2018 - 17:29 05-02-2018 - 17:29
CVE-2018-6605 7.5
SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
05-02-2018 - 16:29 05-02-2018 - 16:29
CVE-2018-6604 7.5
SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request.
05-02-2018 - 16:29 05-02-2018 - 16:29
CVE-2018-6582 7.5
SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
05-02-2018 - 16:29 05-02-2018 - 16:29
CVE-2018-6579 7.5
SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for Joomla! via a view=products&uid= request.
02-02-2018 - 12:29 02-02-2018 - 12:29
CVE-2018-6578 7.5
SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.
02-02-2018 - 12:29 02-02-2018 - 12:29
CVE-2018-6577 7.5
SQL Injection exists in the JEXTN Membership 3.1.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.
02-02-2018 - 12:29 02-02-2018 - 12:29
CVE-2018-6576 7.5
SQL Injection exists in Event Manager 1.0 via the event.php id parameter or the page.php slug parameter.
02-02-2018 - 12:29 02-02-2018 - 12:29
CVE-2018-6398 7.5
SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.
30-01-2018 - 10:29 30-01-2018 - 10:29
CVE-2018-6397 5.0
Directory Traversal exists in the Picture Calendar 3.1.4 component for Joomla! via the list.php folder parameter.
30-01-2018 - 10:29 30-01-2018 - 10:29
CVE-2018-6395 7.5
SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.
30-01-2018 - 10:29 30-01-2018 - 10:29
CVE-2018-6008 5.0
Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
29-01-2018 - 00:29 29-01-2018 - 00:29
CVE-2018-6007 6.8
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
29-01-2018 - 00:29 29-01-2018 - 00:29
CVE-2017-17976 7.5
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.
26-01-2018 - 15:29 26-01-2018 - 15:29
CVE-2017-14523 5.0
** DISPUTED ** WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from
26-01-2018 - 15:29 26-01-2018 - 15:29
CVE-2018-5973 7.5
SQL Injection exists in Professional Local Directory Script 1.0 via the sellers_subcategories.php IndustryID parameter, or the suppliers.php IndustryID or CategoryID parameter.
25-01-2018 - 12:29 25-01-2018 - 12:29
CVE-2018-5954 5.0
phpFreeChat 1.7 and earlier allows remote attackers to cause a denial of service by sending a large number of connect commands.
25-01-2018 - 11:29 25-01-2018 - 11:29
CVE-2017-1000474 7.5
Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and login/sell.php scripts resulting in the expose of u
24-01-2018 - 17:29 24-01-2018 - 17:29
CVE-2018-5705 4.3
Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected function is its search engine (the t parameter to the /search URI). Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus adm
24-01-2018 - 12:29 24-01-2018 - 12:29
CVE-2018-5988 7.5
SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5986 7.5
SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5985 7.5
SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for Joomla! via an r=site/login&company_id= request.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5984 7.5
SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5979 7.5
SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1.5 via the login.php User field.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5978 7.5
SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5977 7.5
SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5976 6.8
Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5972 7.5
SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keywords, placeid, cat, or subcat parameter to the listing URI.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5969 6.8
Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2017-17999 7.5
SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/.
23-01-2018 - 13:29 23-01-2018 - 13:29
CVE-2017-18049 4.3
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Micro
23-01-2018 - 01:29 23-01-2018 - 01:29
CVE-2018-5715 4.3
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
16-01-2018 - 15:29 16-01-2018 - 15:29
CVE-2018-5370 4.3
BizLogic xnami 1.0 has XSS via the comment parameter in an addComment action to the /media/ajax URI.
16-01-2018 - 14:29 16-01-2018 - 14:29
CVE-2018-5479 4.3
FoxSash ImgHosting 1.5 (according to footer information) is vulnerable to XSS attacks. The affected function is its search engine via the search parameter to the default URI. Since there is an user/admin login interface, it's possible for attackers t
15-01-2018 - 11:29 15-01-2018 - 11:29
CVE-2018-5688 4.3
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
14-01-2018 - 15:29 14-01-2018 - 15:29
CVE-2018-5315 7.5
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2017-17970 7.5
Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to t
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2012-0699 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php
11-01-2018 - 15:29 11-01-2018 - 15:29
CVE-2012-6667 4.3
Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte Technologies vBShout module for vBulletin allows remote attackers to inject arbitrary web script or HTML via the shout parameter in a shout action.
11-01-2018 - 11:29 11-01-2018 - 11:29
CVE-2018-5211 7.5
PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.
09-01-2018 - 11:29 09-01-2018 - 11:29
CVE-2018-5263 3.5
The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before 4.0.21 for Joomla! allows XSS.
08-01-2018 - 18:29 08-01-2018 - 18:29
CVE-2017-1000499 6.8
phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
03-01-2018 - 09:29 03-01-2018 - 09:29
CVE-2017-1000432 6.0
Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access
02-01-2018 - 18:29 02-01-2018 - 18:29
CVE-2017-17098 7.5
The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php
02-01-2018 - 10:29 02-01-2018 - 10:29
CVE-2017-17097 5.0
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easie
02-01-2018 - 10:29 02-01-2018 - 10:29
CVE-2018-3811 7.5
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did
01-01-2018 - 01:29 01-01-2018 - 01:29
CVE-2018-3810 7.5
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages ser
01-01-2018 - 01:29 01-01-2018 - 01:29
CVE-2015-3302 5.0
The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by leveraging a "broken authentication mechanism."
29-12-2017 - 17:29 29-12-2017 - 17:29
CVE-2017-17876 5.0
Biometric Shift Employee Management System 3.0 allows remote attackers to bypass intended file-read restrictions via a user=download request with a pathname in the path parameter.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17875 7.5
The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17872 7.5
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17871 7.5
The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-16949 7.5
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cor
18-12-2017 - 21:29 18-12-2017 - 21:29
CVE-2017-17651 7.5
Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17649 4.3
Readymade Video Sharing Script 3.2 has HTML Injection via the single-video-detail.php comment parameter.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17645 7.5
Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17643 7.5
FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17648 7.5
Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter.
13-12-2017 - 11:29 13-12-2017 - 11:29
CVE-2017-17639 7.5
Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter.
13-12-2017 - 04:29 13-12-2017 - 04:29
CVE-2017-17584 7.5
FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter.
13-12-2017 - 04:29 13-12-2017 - 04:29
CVE-2017-17560 10.0
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used
12-12-2017 - 13:29 12-12-2017 - 13:29
CVE-2017-17111 7.5
Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.
11-12-2017 - 12:29 11-12-2017 - 12:29
CVE-2017-17110 7.5
Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request.
11-12-2017 - 12:29 11-12-2017 - 12:29
CVE-2017-17055 8.5
Artica Web Proxy before 3.06.112911 allows remote attackers to execute arbitrary code as root by conducting a cross-site scripting (XSS) attack involving the username-form-id parameter to freeradius.users.php.
06-12-2017 - 21:29 06-12-2017 - 21:29
CVE-2017-17058 5.0
** DISPUTED ** The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that D
29-11-2017 - 02:29 29-11-2017 - 02:29
CVE-2017-15806 6.8
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a craft
15-11-2017 - 11:29 15-11-2017 - 11:29
CVE-2017-16807 3.5
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
13-11-2017 - 16:29 13-11-2017 - 16:29
CVE-2017-16781 3.5
The installer in MyBB before 1.8.13 has XSS.
10-11-2017 - 18:29 10-11-2017 - 18:29
CVE-2017-16780 7.5
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
10-11-2017 - 18:29 10-11-2017 - 18:29
CVE-2015-3933 7.5
Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.
08-11-2017 - 11:29 08-11-2017 - 11:29
CVE-2017-16524 6.5
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, wh
06-11-2017 - 03:29 06-11-2017 - 03:29
CVE-2017-16244 6.8
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism i
31-10-2017 - 21:29 31-10-2017 - 21:29
CVE-2017-15993 7.5
Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15992 7.5
Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15991 7.5
Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerabil
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15990 7.5
Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15989 7.5
Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15988 7.5
Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15987 7.5
Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15986 7.5
CPA Lead Reward Script allows SQL Injection via the username parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15985 7.5
Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15984 7.5
Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15983 7.5
MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15982 7.5
Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15981 7.5
Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15980 7.5
US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15979 7.5
Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15978 7.5
AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15977 7.5
Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-7411 6.5
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users
30-10-2017 - 10:29 30-10-2017 - 10:29
CVE-2017-15976 7.5
ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15975 7.5
Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15974 7.5
tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 or ''=' to login.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15973 7.5
Sokial Social Network Script 1.0 allows SQL Injection via the id parameter to admin/members_view.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15972 7.5
SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15971 7.5
Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15970 7.5
PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15969 7.5
PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15968 7.5
MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15967 7.5
Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15966 7.5
The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15965 7.5
The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15964 7.5
Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15963 7.5
iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15962 7.5
iStock Management System 1.0 allows Arbitrary File Upload via user/profile.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15961 7.5
iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15960 7.5
Article Directory Script 3.0 allows SQL Injection via the id parameter to author.php or category.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15959 7.5
Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15958 7.5
D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the username to admin/loginform.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15957 6.5
my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2014-2023 7.5
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscr
26-10-2017 - 16:29 26-10-2017 - 16:29
CVE-2017-15081 7.5
In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
24-10-2017 - 02:29 24-10-2017 - 02:29
CVE-2015-5533 6.5
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php.
23-10-2017 - 14:29 23-10-2017 - 14:29
CVE-2017-15730 6.8
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.
22-10-2017 - 14:29 22-10-2017 - 14:29
CVE-2017-15727 4.3
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
22-10-2017 - 14:29 22-10-2017 - 14:29
CVE-2017-14956 3.5
AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local download, the script also offers the possibility to
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2017-14322 10.0
The function in charge to check whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie wit
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2015-7715 6.8
Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allows remote attackers to hijack the authentication of administrators for requests that add a user via an add_user action to administrat
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2015-7714 6.5
Multiple SQL injection vulnerabilities in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allow remote administrators to execute arbitrary SQL commands via the (1) id, (2) copy_field in a data_copy action, (3) pshow in an update_field a
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2015-2780 7.5
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
16-10-2017 - 14:29 16-10-2017 - 14:29
CVE-2014-9148 7.5
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
16-10-2017 - 11:29 16-10-2017 - 11:29
CVE-2014-9147 5.0
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
16-10-2017 - 11:29 16-10-2017 - 11:29
CVE-2017-15284 3.5
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the
12-10-2017 - 04:29 12-10-2017 - 04:29
CVE-2017-14087 5.0
A Host Header Injection vulnerability in Trend Micro OfficeScan XG (12.0) may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14085 5.0
Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to query the network's NT domain or the PHP version and modules.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14083 5.0
A vulnerability in Trend Micro OfficeScan 11.0 and XG allows remote unauthenticated users who can access the system to download the OfficeScan encryption file.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-6090 6.5
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to th
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-6089 7.5
SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14848 6.5
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14738 7.5
FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function).
29-09-2017 - 21:29 29-09-2017 - 21:29
CVE-2017-14507 7.5
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_
28-09-2017 - 21:34 28-09-2017 - 21:34
CVE-2017-14847 6.5
Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14846 6.5
Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14845 6.5
Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14844 6.5
Mojoomla WPGYM WordPress Gym Management System allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14843 6.5
Mojoomla School Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14842 6.5
Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14841 4.0
Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14840 6.5
TeamWork TicketPlus allows Arbitrary File Upload in updateProfile.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14839 6.5
TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14838 6.5
TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14704 6.5
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, t
26-09-2017 - 10:29 26-09-2017 - 10:29
CVE-2017-14703 7.5
SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
26-09-2017 - 09:29 26-09-2017 - 09:29
CVE-2015-4669 7.2
The MySQL "root" user in Xsuite 2.x does not have a password set, which allows local users to access databases on the system.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2015-4668 5.8
Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirurl parameter.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2015-4667 7.5
Multiple hardcoded credentials in Xsuite 2.x.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2017-14717 3.5
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
22-09-2017 - 15:29 22-09-2017 - 15:29
CVE-2017-14712 3.5
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
22-09-2017 - 15:29 22-09-2017 - 15:29
CVE-2017-14619 4.3
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
20-09-2017 - 17:29 20-09-2017 - 17:29
CVE-2017-14618 3.5
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
20-09-2017 - 17:29 20-09-2017 - 17:29
CVE-2015-2826 5.0
WordPress Simple Ads Manager plugin 2.5.94 and 2.5.96 allows remote attackers to obtain sensitive information.
20-09-2017 - 14:29 20-09-2017 - 14:29
CVE-2015-4075 6.8
The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4074 5.0
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4073 7.5
Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4072 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via vectors related to name and message.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2017-14143 7.5
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and e
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9619 6.5
Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9618 7.5
The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9611 7.5
Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9610 5.0
Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and remove IP addresses from the quarantine via the ip parameter to webadmin/user/quarantine_disable.php.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9463 9.0
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
15-09-2017 - 16:29 15-09-2017 - 16:29
CVE-2017-1002008 7.5
Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002003 7.5
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002002 7.5
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002001 7.5
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002000 7.5
Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2015-8351 6.8
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captc
11-09-2017 - 16:29 11-09-2017 - 16:29
CVE-2015-3314 6.8
SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5.
07-09-2017 - 16:29 07-09-2017 - 16:29
CVE-2015-3313 7.5
SQL injection vulnerability in WordPress Community Events plugin before 1.4.
07-09-2017 - 16:29 07-09-2017 - 16:29
CVE-2017-9834 7.5
SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php.
07-09-2017 - 10:29 07-09-2017 - 10:29
CVE-2017-14126 4.3
The Participants Database plugin before 1.7.5.10 for WordPress has XSS.
04-09-2017 - 16:29 04-09-2017 - 16:29
CVE-2014-8677 3.5
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being u
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2014-8676 5.0
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2014-8675 5.0
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2015-8352 10.0
Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.
24-08-2017 - 17:29 24-08-2017 - 17:29
CVE-2017-12971 4.3
Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the account parameter to phpsftpd/users.php.
23-08-2017 - 12:29 23-08-2017 - 12:29
CVE-2017-12970 6.8
Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack the authentication of authenticated users for requests that (1) add or (2) delete user accounts via a request to phpsftpd/users.php.
23-08-2017 - 12:29 23-08-2017 - 12:29
CVE-2017-12965 7.5
Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
23-08-2017 - 12:29 23-08-2017 - 12:29
CVE-2017-12984 4.3
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
21-08-2017 - 03:29 21-08-2017 - 03:29
CVE-2015-4071 5.0
The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attackers to read the support tickets of arbitrary users via obtaining the target ticketId, and navigating to http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}.
18-08-2017 - 14:29 18-08-2017 - 14:29
CVE-2014-5144 3.5
Cross-site scripting (XSS) vulnerability in Telescope before 0.9.3 allows remote authenticated users to inject arbitrary web script or HTML via crafted markdown.
09-08-2017 - 14:29 09-08-2017 - 14:29
CVE-2015-7571 6.8
Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
07-08-2017 - 16:29 07-08-2017 - 16:29
CVE-2014-9262 5.5
The Duplicator plugin in Wordpress before 0.5.10 allows remote authenticated users to create and download backup files.
07-08-2017 - 13:29 07-08-2017 - 13:29
CVE-2017-11394 10.0
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI
03-08-2017 - 11:29 03-08-2017 - 11:29
CVE-2015-2798 7.5
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
25-07-2017 - 14:29 25-07-2017 - 14:29
CVE-2017-10682 7.5
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
29-06-2017 - 17:29 29-06-2017 - 17:29
CVE-2017-6086 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST
27-06-2017 - 16:29 27-06-2017 - 16:29
CVE-2016-7508 6.0
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
21-06-2017 - 16:29 21-06-2017 - 16:29
CVE-2017-9730 7.5
SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
19-06-2017 - 08:29 19-06-2017 - 08:29
CVE-2017-9603 6.5
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php.
13-06-2017 - 14:29 13-06-2017 - 14:29
CVE-2017-9429 6.5
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php.
13-06-2017 - 14:29 13-06-2017 - 14:29
CVE-2017-9418 6.5
SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php.
12-06-2017 - 09:29 12-06-2017 - 09:29
CVE-2014-8687 10.0
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.
08-06-2017 - 12:29 08-06-2017 - 12:29
CVE-2017-9516 3.5
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
08-06-2017 - 09:29 08-06-2017 - 09:29
CVE-2016-10073 5.0
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a passwo
23-05-2017 - 00:29 23-05-2017 - 00:29
CVE-2017-1092 10.0
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.
22-05-2017 - 16:29 22-05-2017 - 16:29
CVE-2017-9101 7.5
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
21-05-2017 - 14:29 21-05-2017 - 14:29
CVE-2017-7620 4.3
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which
21-05-2017 - 10:29 21-05-2017 - 10:29
CVE-2017-9080 7.5
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.
19-05-2017 - 11:29 19-05-2017 - 11:29
CVE-2017-8917 7.5
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
17-05-2017 - 19:29 17-05-2017 - 19:29
CVE-2017-8382 3.5
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-8928 6.8
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
14-05-2017 - 18:29 14-05-2017 - 18:29
CVE-2017-8912 6.5
** DISPUTED ** CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor report
12-05-2017 - 03:29 12-05-2017 - 03:29
CVE-2017-7981 9.0
Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, an
11-05-2017 - 10:22 29-04-2017 - 12:59
CVE-2016-4313 6.8
Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file.
01-05-2017 - 21:59 24-04-2017 - 14:59
CVE-2017-5631 4.3
An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string.
01-05-2017 - 10:59 01-05-2017 - 10:59
CVE-2014-7235 10.0
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP uns
28-04-2017 - 21:59 07-10-2014 - 10:55
CVE-2015-7568 7.5
SQL injection vulnerability in the password recovery feature in Yeager CMS 1.2.1 allows remote attackers to change the account credentials of known users via the "userEmail" parameter.
28-04-2017 - 12:26 24-04-2017 - 14:59
CVE-2016-5399 6.8
The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
27-04-2017 - 15:54 21-04-2017 - 16:59
CVE-2015-7569 7.5
SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager CMS 1.2.1 allows local users to execute arbitrary SQL commands via the "pagedir_orderby" parameter.
27-04-2017 - 15:15 24-04-2017 - 14:59
CVE-2015-7570 6.4
Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_lite/tests/test_adodb_lite.php, libs/org/adodb_lit
27-04-2017 - 13:45 24-04-2017 - 14:59
CVE-2016-1713 8.5
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a cra
25-04-2017 - 11:52 14-04-2017 - 14:59
CVE-2015-7572
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-0237. Reason: This candidate is a duplicate of CVE-2013-0237. Notes: All CVE users should reference CVE-2013-0237 instead of this candidate. All references and descriptions in this
24-04-2017 - 14:59 24-04-2017 - 14:59
CVE-2015-8356 6.0
Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (
22-04-2017 - 10:12 14-04-2017 - 10:59
CVE-2015-6567 6.5
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access
21-04-2017 - 14:22 14-04-2017 - 12:59
CVE-2015-6568 6.5
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for
21-04-2017 - 14:21 14-04-2017 - 12:59
CVE-2017-7615 6.5
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
21-04-2017 - 12:08 16-04-2017 - 10:59
CVE-2017-7725 4.3
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any
20-04-2017 - 17:15 13-04-2017 - 13:59
CVE-2015-7562 4.3
Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role.
20-04-2017 - 09:41 12-04-2017 - 18:59
CVE-2015-7563 6.8
Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user.
20-04-2017 - 09:40 12-04-2017 - 18:59
CVE-2015-7564 7.5
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in
20-04-2017 - 08:32 12-04-2017 - 18:59
CVE-2016-4337 7.5
SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action.
19-04-2017 - 15:47 12-04-2017 - 18:59
CVE-2016-2555 7.5
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.
19-04-2017 - 15:46 13-04-2017 - 10:59
CVE-2015-8284 6.5
SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2015-8283 6.8
Directory traversal vulnerability in configure_manage.php in SeaWell Networks Spectrum SDC 02.05.00.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2015-8282 7.5
SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admin" for the "admin" account.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2017-6088 9.0
Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter to module/monitoring_ged/ged
17-04-2017 - 14:18 11-04-2017 - 14:59
CVE-2017-7571 6.0
public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges.
12-04-2017 - 16:36 06-04-2017 - 13:59
CVE-2017-7447 6.8
HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote execution of arbitrary PHP code.
10-04-2017 - 21:59 05-04-2017 - 18:59
CVE-2017-7446 6.8
HelpDEZk 1.1.1 has CSRF in admin/home#/person/ with an impact of obtaining admin privileges.
10-04-2017 - 18:19 05-04-2017 - 18:59
CVE-2017-7402 7.5
Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/
10-04-2017 - 12:24 03-04-2017 - 13:59
CVE-2015-8309 4.0
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
29-03-2017 - 21:59 27-03-2017 - 11:59
CVE-2017-6087 6.5
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_f
28-03-2017 - 21:59 24-03-2017 - 10:59
CVE-2016-1000125 7.5
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
28-03-2017 - 14:31 06-10-2016 - 10:59
CVE-2016-1000124 7.5
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
28-03-2017 - 14:31 06-10-2016 - 10:59
CVE-2017-2641 7.5
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
28-03-2017 - 13:16 26-03-2017 - 14:59
CVE-2016-6174 6.8
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execut
20-03-2017 - 21:59 12-07-2016 - 15:59
CVE-2017-6823 6.5
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
16-03-2017 - 21:59 12-03-2017 - 00:59
CVE-2017-6104 5.0
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.
07-03-2017 - 09:17 02-03-2017 - 17:59
CVE-2017-5344 7.5
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklis
06-03-2017 - 21:59 17-02-2017 - 02:59
CVE-2016-6175 7.5
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
28-02-2017 - 12:49 07-02-2017 - 10:59
CVE-2017-5630 5.0
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess ove
28-02-2017 - 10:34 01-02-2017 - 18:59
CVE-2016-3694 7.5
Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status par
23-02-2017 - 13:20 15-02-2017 - 14:59
CVE-2017-6097 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.
23-02-2017 - 10:07 21-02-2017 - 02:59
CVE-2017-6096 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.
23-02-2017 - 10:07 21-02-2017 - 02:59
CVE-2017-6095 7.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.
23-02-2017 - 10:00 21-02-2017 - 02:59
CVE-2017-6098 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.
23-02-2017 - 09:57 21-02-2017 - 02:59
CVE-2009-0674 6.0
images/captcha.php in Raven Web Services RavenNuke 2.30, when register_globals and display_errors are enabled, allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter, an
19-02-2017 - 00:26 22-02-2009 - 17:30
CVE-2008-6282 6.5
SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS Ortus 1.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the city parameter in a users_edit_pub action to index.php.
19-02-2017 - 00:25 25-02-2009 - 18:30
CVE-2008-4902 7.5
SQL injection vulnerability in contact_author.php in Article Publisher Pro 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.
19-02-2017 - 00:24 03-11-2008 - 19:58
CVE-2008-3307 7.5
SQL injection vulnerability in todos.php in C. Desseno YouTube Blog (ytb) 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3306.
19-02-2017 - 00:23 25-07-2008 - 12:41
CVE-2006-2998 7.5
PHP remote file inclusion vulnerability in board/post.php in free QBoard 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the qb_path parameter.
19-02-2017 - 00:12 12-06-2006 - 21:02
CVE-2016-2539 6.8
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving
15-02-2017 - 08:18 07-02-2017 - 10:59
CVE-2016-7400 7.5
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller acti
09-02-2017 - 17:25 07-02-2017 - 10:59
CVE-2016-3411 4.3
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.
01-02-2017 - 21:59 18-01-2017 - 17:59
CVE-2016-4793 5.0
The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
31-01-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-10045 7.5
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal esca
25-01-2017 - 21:59 30-12-2016 - 14:59
CVE-2016-10033 7.5
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
25-01-2017 - 21:59 30-12-2016 - 14:59
CVE-2016-4010 7.5
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
25-01-2017 - 14:41 23-01-2017 - 16:59
CVE-2016-6896 5.5
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugi
20-01-2017 - 10:31 18-01-2017 - 16:59
CVE-2016-6897 4.3
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by
20-01-2017 - 08:58 18-01-2017 - 16:59
CVE-2009-0441 6.8
PHP remote file inclusion vulnerability in skin_shop/standard/2_view_body/body_default.php in TECHNOTE 7.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter, a diff
19-01-2017 - 21:59 10-02-2009 - 02:00
CVE-2008-4138 10.0
PHP remote file inclusion vulnerability in skin_shop/standard/3_plugin_twindow/twindow_notice.php in TECHNOTE 7 allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter.
19-01-2017 - 21:59 24-09-2008 - 01:41
CVE-2017-5487 5.0
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp
18-01-2017 - 21:59 14-01-2017 - 21:59
CVE-2017-5223 2.1
An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using
18-01-2017 - 13:20 16-01-2017 - 01:59
CVE-2014-3857 6.5
Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php.
06-01-2017 - 22:00 03-07-2014 - 10:55
CVE-2016-10074 7.5
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mai
03-01-2017 - 13:56 30-12-2016 - 14:59
CVE-2016-10034 7.5
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently e
03-01-2017 - 13:07 30-12-2016 - 14:59
CVE-2015-4127 4.3
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin
30-12-2016 - 21:59 28-05-2015 - 10:59
CVE-2015-4010 6.8
Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the
30-12-2016 - 21:59 09-06-2015 - 10:59
CVE-2013-7349 7.5
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.ph
30-12-2016 - 21:59 31-03-2014 - 23:25
CVE-2013-7316 4.3
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.
30-12-2016 - 21:59 24-01-2014 - 10:08
CVE-2013-7274 3.5
Cross-site scripting (XSS) vulnerability in Wallpaper Script 3.5.0082 allows remote authenticated users to inject arbitrary web script or HTML via the title field in a wallpaper file upload.
30-12-2016 - 21:59 08-01-2014 - 10:29
CVE-2013-5640 7.5
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php,
30-12-2016 - 21:59 31-03-2014 - 23:24
CVE-2013-5573 4.3
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
30-12-2016 - 21:59 31-12-2013 - 11:04
CVE-2016-9838 5.0
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account an
22-12-2016 - 11:27 16-12-2016 - 04:59
CVE-2016-1000123 7.5
Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
22-12-2016 - 09:21 06-10-2016 - 10:59
CVE-2015-7235 7.5
Multiple SQL injection vulnerabilities in dex_reservations.php in the CP Reservation Calendar plugin before 1.1.7 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a dex_reservations_calendar_load2 act
21-12-2016 - 22:00 17-09-2015 - 12:59
CVE-2015-6962 7.5
SQL injection vulnerability in the web application in Farol allows remote attackers to execute arbitrary SQL commands via the email parameter to tkmonitor/estrutura/login/Login.actions.php.
21-12-2016 - 22:00 17-09-2015 - 11:59
CVE-2015-6827 6.8
Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php.
21-12-2016 - 22:00 11-09-2015 - 11:59
CVE-2015-6805 3.5
Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.
21-12-2016 - 22:00 02-09-2015 - 10:59
CVE-2015-6655 6.8
Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via a request to admin/admin_users.php.
21-12-2016 - 22:00 31-08-2015 - 15:59
CVE-2015-6545 6.8
Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action.
21-12-2016 - 22:00 03-09-2015 - 13:59
CVE-2015-2321 4.3
Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the email field.
21-12-2016 - 21:59 13-08-2015 - 10:59
CVE-2012-6644 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to channels.php, (2) collections.php, (3) groups.php, or (4) videos.php; (5) query parameter
21-12-2016 - 21:59 08-04-2014 - 10:22
CVE-2015-6522 7.5
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.
09-12-2016 - 09:29 19-08-2015 - 11:59
CVE-2015-5075 6.8
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
07-12-2016 - 22:09 29-09-2015 - 15:59
CVE-2015-5074 7.5
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht ext
07-12-2016 - 22:09 29-09-2015 - 15:59
CVE-2008-6740 6.8
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
07-12-2016 - 22:01 21-04-2009 - 14:30
CVE-2008-5191 7.5
Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and the (2) sp_id parameter to staticpages.php.
07-12-2016 - 22:01 21-11-2008 - 12:30
CVE-2015-8562 7.5
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
07-12-2016 - 13:28 16-12-2015 - 16:59
CVE-2015-8358 9.0
Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the "work" array parameter to admin/bitrix.m
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-8357 6.5
Directory traversal vulnerability in the bitrix.xscan module before 1.0.4 for Bitrix allows remote authenticated users to rename arbitrary files, and consequently obtain sensitive information or cause a denial of service, via a .. (dot dot) in the fi
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-7984 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that
07-12-2016 - 13:25 19-11-2015 - 15:59
CVE-2015-7858 7.5
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
07-12-2016 - 13:25 29-10-2015 - 16:59
CVE-2015-7857 7.5
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.p
07-12-2016 - 13:25 29-10-2015 - 16:59
CVE-2015-7297 7.5
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
07-12-2016 - 13:23 29-10-2015 - 16:59
CVE-2015-5534 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2)
07-12-2016 - 13:16 02-11-2015 - 14:59
CVE-2015-5354 5.8
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
07-12-2016 - 13:16 01-07-2015 - 12:59
CVE-2015-5353 7.5
Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tab parameter to admin/.
07-12-2016 - 13:16 01-07-2015 - 12:59
CVE-2015-5065 5.0
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl
07-12-2016 - 13:15 24-06-2015 - 10:59
CVE-2015-4677 6.8
Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka Fiverr Script) 7.2 allows remote attackers to hijack the authentication of administrators for requests that create a new admin via a request to administrator/admins_create.php.
07-12-2016 - 13:13 19-06-2015 - 10:59
CVE-2015-4659 6.8
Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php.
07-12-2016 - 13:13 18-06-2015 - 14:59
CVE-2015-4414 5.0
Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
07-12-2016 - 13:12 17-06-2015 - 14:59
CVE-2015-4153 5.0
Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the template parameter in a load_template action to wp-admin
07-12-2016 - 13:11 10-06-2015 - 14:59
CVE-2015-8770 6.0
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execu
05-12-2016 - 22:04 29-01-2016 - 14:59
CVE-2015-4137 7.5
SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 allows remote attackers to execute arbitrary SQL commands via the program parameter.
05-12-2016 - 22:02 29-05-2015 - 10:59
CVE-2015-4119 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php
05-12-2016 - 22:02 15-06-2015 - 11:59
CVE-2015-4118 6.5
SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote atta
05-12-2016 - 22:02 15-06-2015 - 11:59
CVE-2015-4084 4.3
Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.
05-12-2016 - 22:02 28-05-2015 - 10:59
CVE-2015-3624 5.8
Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx in Ektron Content Management System (CMS) before 9.10 SP1 (Build 9.1.0.184.1.120) allows remote attackers to hijack the authentication of content ad
05-12-2016 - 22:01 09-06-2015 - 10:59
CVE-2015-3440 4.3
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type
05-12-2016 - 22:01 03-08-2015 - 10:59
CVE-2006-5613 7.5
PHP remote file inclusion in Core/core.inc.php in MP3 Streaming DownSampler (mp3SDS) 3.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the fullpath parameter
05-12-2016 - 21:59 30-10-2006 - 20:07
CVE-2006-3928 7.5
PHP remote file inclusion vulnerability in index.php in WMNews 0.2a and earlier allows remote attackers to execute arbitrary PHP code via a URL in the base_datapath parameter.
05-12-2016 - 21:59 31-07-2006 - 17:04
CVE-2015-3221 4.0
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the i
02-12-2016 - 22:08 26-08-2015 - 15:59
CVE-2015-3141 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies Xeams 4.5 Build 5755 and earlier allow remote attackers to hijack the authentication of administrators for requests that create an (1) SMTP domain or a (2) user vi
02-12-2016 - 22:08 20-05-2015 - 15:59
CVE-2015-2845 10.0
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2844 10.0
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2843 7.5
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2842 10.0
Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute arbitrary code by uploading a file with an executab
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2825 7.5
Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a dire
02-12-2016 - 22:06 21-04-2015 - 11:59
CVE-2015-2824 7.5
Multiple SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress allow remote attackers to execute arbitrary SQL commands via a (1) hits[][] parameter in a sam_hits action to sam-ajax.php; the (2) cstr parameter in
02-12-2016 - 22:06 06-04-2015 - 11:59
CVE-2015-2803 6.0
SQL injection vulnerability in mod1/index.php in the Akronymmanager (sb_akronymmanager) extension before 7.0.0 for TYPO3 allows remote authenticated users with permission to maintain acronyms to execute arbitrary SQL commands via the id parameter.
02-12-2016 - 22:06 17-06-2015 - 14:59
CVE-2015-2701 6.8
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
02-12-2016 - 22:05 25-03-2015 - 10:59
CVE-2015-2680 6.8
Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS before 0.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request in the users page to gxadmin/index
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2679 7.5
Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php.
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2678 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2562 7.5
Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD (com_ecommercewd) component 1.2.5 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) search_category_id, (2) sort_order, or (3) filter_manufacturer_id
02-12-2016 - 22:05 20-03-2015 - 10:59
CVE-2015-2295 6.8
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the del
02-12-2016 - 22:04 10-04-2015 - 11:00
CVE-2015-2292 6.5
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL com
02-12-2016 - 22:04 17-03-2015 - 11:59
CVE-2015-2275 4.3
Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy.
02-12-2016 - 22:04 12-03-2015 - 13:59
CVE-2015-2237 7.5
Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) 1.0.4 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showprofile.php or (2) categoryedit.php or (3) username parameter in a login to index.php
02-12-2016 - 22:04 12-03-2015 - 13:59
CVE-2015-2218 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1)
02-12-2016 - 22:04 05-03-2015 - 11:59
CVE-2015-2216 7.5
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.
02-12-2016 - 22:04 05-03-2015 - 10:59
CVE-2010-4279 10.0
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in
02-12-2016 - 21:59 02-12-2010 - 12:15
CVE-2015-2102 7.5
SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter.
29-11-2016 - 22:01 27-02-2015 - 10:59
CVE-2015-2090 7.5
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-a
29-11-2016 - 22:01 26-02-2015 - 10:59
CVE-2015-2084 6.8
Cross-site request forgery (CSRF) vulnerability in the Easy Social Icons plugin before 1.2.3 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the ima
29-11-2016 - 22:00 25-02-2015 - 17:59
CVE-2015-2071 4.0
Directory traversal vulnerability in cm/newui/blog/export.jsp in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the filepath parameter.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2070 7.5
SQL injection vulnerability in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote attackers to execute arbitrary SQL commands via the catId parameter to cm/blogrss/feed.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2068 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2067 5.0
Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2065 7.5
SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in a rss action to wp-admi
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2016-8582 7.5
A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via MySQL's LOAD_FILE.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-8581 4.3
A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the current sessions are viewed by an administrator.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-8580 7.5
PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code execution via magic methods in included classes.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-6483 5.0
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and
28-11-2016 - 15:33 01-09-2016 - 21:59
CVE-2016-5734 7.5
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a craf
28-11-2016 - 15:29 02-07-2016 - 21:59
CVE-2016-4309 7.6
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.
28-11-2016 - 15:17 30-06-2016 - 13:59
CVE-2015-5066 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix GeniXCMS 0.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) content or (2) title field in an add action in the posts page to index.php or the (3) q par
28-11-2016 - 14:31 24-06-2015 - 10:59
CVE-2015-4133 7.5
Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via
28-11-2016 - 14:27 28-05-2015 - 10:59
CVE-2015-3986 4.3
Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators f
28-11-2016 - 14:27 14-05-2015 - 10:59
CVE-2015-3301 4.0
Directory traversal vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote administrators to read arbitrary files via a .. (dot dot) in the tcp_box
28-11-2016 - 14:23 14-05-2015 - 10:59
CVE-2015-3300 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via th
28-11-2016 - 14:23 14-05-2015 - 10:59
CVE-2015-1366 4.3
Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.
28-11-2016 - 14:18 27-01-2015 - 15:04
CVE-2006-5055 7.5
PHP remote file inclusion vulnerability in admin/testing/tests/0004_init_urls.php in syntaxCMS 1.1.1 through 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the init_path parameter.
28-11-2016 - 14:06 27-09-2006 - 20:07
CVE-2006-4885 7.5
PHP remote file inclusion vulnerability in Shadowed Portal 5.599 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) footer.php and (2) header.php. NOTE: the provenance of this information is unkn
28-11-2016 - 14:06 19-09-2006 - 17:07
CVE-2006-4714 5.1
PHP remote file inclusion vulnerability in index.php in SpoonLabs Vivvo Article Management CMS (aka phpWordPress) 3.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the classified_pat
28-11-2016 - 14:06 12-09-2006 - 12:07
CVE-2006-0206 7.5
Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php.
28-11-2016 - 14:06 13-01-2006 - 18:03
CVE-2007-0683 7.5
PHP remote file inclusion vulnerability in includes/functions.php in Omegaboard 1.0beta4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
21-11-2016 - 09:17 02-02-2007 - 20:28
CVE-2006-1252 7.5
Eval injection vulnerability in cal.php in Light Weight Calendar (LWC) 1.0 allows remote attackers to execute arbitrary PHP code via the date parameter to index.php.
18-11-2016 - 22:00 18-03-2006 - 20:02
CVE-2016-8869 7.5
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2016-8870 6.8
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Al
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2006-6552 7.5
PHP remote file inclusion vulnerability in admin/plugins/NP_UserSharing.php in BLOG:CMS 4.1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DIR_ADMIN parameter.
17-10-2016 - 23:42 14-12-2006 - 13:28
CVE-2006-5893 7.5
Multiple PHP remote file inclusion vulnerabilities in iWonder Designs Storystream 0.4.0.0 allow remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter to (1) mysql.php and (2) mysqli.php in include/classes/pear/DB/.
17-10-2016 - 23:41 14-11-2006 - 17:07
CVE-2006-5768 7.5
Multiple PHP remote file inclusion vulnerabilities in Cyberfolio 2.0 RC1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the av parameter to (1) msg/view.php, (2) msg/inc_message.php, (
17-10-2016 - 23:41 06-11-2006 - 18:07
CVE-2006-5471 7.5
PHP remote file inclusion vulnerability in example/lib/grid3.lib.php in Softerra PHP Developer Library 1.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the (1) cfg_dir and (2) lib_dir parameters.
17-10-2016 - 23:41 24-10-2006 - 16:07
CVE-2006-5301 6.8
PHP remote file inclusion vulnerability in includes/antispam.php in the SpamBlockerMODv 1.0.2 and earlier module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
17-10-2016 - 23:41 17-10-2006 - 11:07
CVE-2006-5259 7.5
PHP remote file inclusion vulnerability in param_editor.php in Compteur 2 allows remote attackers to execute arbitrary PHP code via a URL in the folder parameter.
17-10-2016 - 23:41 12-10-2006 - 18:07
CVE-2006-4922 5.0
Unrestricted file upload vulnerability in starnet/editors/htmlarea/popups/images.php in Site@School (S@S) 2.4.02 and earlier allows remote attackers to upload and execute arbitrary files with executable extensions.
17-10-2016 - 23:41 20-09-2006 - 21:07
CVE-2006-4921 7.5
PHP remote file inclusion vulnerability in Site@School (S@S) 2.4.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to starnet/modules/include/include.php. NOTE: some of these details are obtained f
17-10-2016 - 23:41 20-09-2006 - 21:07
CVE-2006-4920 7.5
Multiple PHP remote file inclusion vulnerabilities in Site@School (S@S) 2.4.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to (1) starnet/modules/sn_allbum/slideshow.php, and (2) starnet/themes/e
17-10-2016 - 23:41 20-09-2006 - 21:07
CVE-2006-4369 2.6
Absolute path traversal vulnerability in includes/functions_portal.php in IntegraMOD Portal 2.x and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via an absolute pathname in the phpbb_root_path parameter.
17-10-2016 - 23:40 26-08-2006 - 17:04
CVE-2006-4368 7.5
PHP remote file inclusion vulnerability in includes/functions_portal.php in IntegraMOD Portal 2.x and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
17-10-2016 - 23:40 26-08-2006 - 17:04
CVE-2006-4365 7.5
Multiple PHP remote file inclusion vulnerabilities in VistaBB 2.0.33 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) includes/functions_mod_user.php or (2) includes/functions_portal.p
17-10-2016 - 23:40 26-08-2006 - 17:04
CVE-2006-3528 6.8
Multiple PHP remote file inclusion vulnerabilities in Simpleboard Mambo module 1.1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the sbp parameter to (1) image_upload.php and (2) file_upload.php.
17-10-2016 - 23:40 11-07-2006 - 20:05
CVE-2005-3363 7.5
SQL injection vulnerability in Saphp Lesson, possibly saphp Lesson1.1 and saphpLesson2.0, allows remote attackers to execute arbitrary SQL commands via the forumid parameter in (1) showcat.php and (2) add.php.
17-10-2016 - 23:34 30-10-2005 - 09:34
CVE-2005-2412 5.0
PHP remote file inclusion vulnerability in block.php in PHP FirstPost allows remote attackers to execute arbitrary PHP code via the Include parameter.
17-10-2016 - 23:26 03-08-2005 - 00:00
CVE-2005-1598 7.5
SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.
17-10-2016 - 23:21 16-05-2005 - 00:00
CVE-2005-0725 7.5
SQL injection vulnerability in the getAllbyArticle function in wfsfiles.php for WF-Sections (wfsections) 1.07 allows remote attackers to execute arbitrary SQL commands via the articleid parameter to article.php.
17-10-2016 - 23:14 08-03-2005 - 00:00
CVE-2004-1580 7.5
SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1553 7.5
SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp. NOTE: it was later reported that vector 1 affects aspWebAlbum
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2008-5308 7.5
The Simple Forum 3.1d module for LoveCMS 1.6.2 Final does not properly restrict access to administrator functions, which allows remote attackers to change the administrator password via a direct request to modules/simpleforum/admin/index.php.
11-10-2016 - 21:59 02-12-2008 - 07:00
CVE-2010-2685 7.5
siteadmin/adduser.php in Customer Paradigm PageDirector CMS does not properly restrict access, which allows remote attackers to bypass intended restrictions and add administrative users via a direct request.
06-10-2016 - 21:59 12-07-2010 - 09:27
CVE-2008-5619 10.0
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input tha
22-09-2016 - 21:59 16-12-2008 - 21:30
CVE-2013-3961 6.5
SQL injection vulnerability in edit_event.php in Simple PHP Agenda before 2.2.9 allows remote authenticated users to execute arbitrary SQL commands via the eventid parameter.
21-09-2016 - 10:25 11-03-2014 - 15:37
CVE-2009-5089 4.3
Directory traversal vulnerability in index.php in IdeaCart 0.02 and 0.02a allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter.
20-09-2016 - 00:00 12-09-2011 - 08:40
CVE-2011-5197 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Harvester Systems 2.3.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload PHP files
19-09-2016 - 23:56 23-09-2012 - 13:55
CVE-2011-5196 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Journal Systems 2.3.6 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload PHP files.
19-09-2016 - 23:56 23-09-2012 - 13:55
CVE-2011-5195 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Conference Systems 2.3.4 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload a PHP fi
19-09-2016 - 23:55 23-09-2012 - 13:55
CVE-2014-4034 7.5
SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.
06-09-2016 - 10:18 11-06-2014 - 10:55
CVE-2014-10021 7.5
Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to t
06-09-2016 - 09:10 13-01-2015 - 06:59
CVE-2007-2430 7.8
shared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote attackers to create arbitrary PHP files in cache/ by placing file contents and directory traversal manipulations into a SessionUserLang cookie to public/code/index.php.
26-08-2016 - 21:59 01-05-2007 - 20:19
CVE-2007-2304 7.5
Multiple directory traversal vulnerabilities in Quick and Dirty Blog (QDBlog) 0.4, and possibly earlier, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter to categories.php and other unspeci
23-08-2016 - 21:59 26-04-2007 - 17:19
CVE-2011-4885 5.0
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
22-08-2016 - 22:04 29-12-2011 - 20:55
CVE-2010-3709 4.3
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.
22-08-2016 - 22:02 08-11-2010 - 20:00
CVE-2009-1030 4.3
Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
22-08-2016 - 21:59 19-03-2009 - 20:30
CVE-2016-3078 7.5
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1
09-08-2016 - 10:55 07-08-2016 - 06:59
CVE-2015-1875 7.5
SQL injection vulnerability in a2billing/customer/iridium_threed.php in Elastix 2.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the transactionID parameter.
03-08-2016 - 23:17 11-03-2015 - 10:59
CVE-2016-5304 4.9
Open redirect vulnerability in a report-routing component in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vecto
01-07-2016 - 19:13 30-06-2016 - 19:59
CVE-2016-3653 6.0
Multiple cross-site request forgery (CSRF) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to hijack the authentication of arbitrary users.
01-07-2016 - 19:11 30-06-2016 - 19:59
CVE-2016-3652 3.5
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
01-07-2016 - 19:11 30-06-2016 - 19:59
CVE-2013-4810 10.0
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServ
29-06-2016 - 10:12 16-09-2013 - 09:01
CVE-2012-4901 4.3
Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php.
27-05-2016 - 11:30 20-05-2015 - 15:59
CVE-2016-2784 2.6
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a reques
26-05-2016 - 18:12 26-05-2016 - 10:59
CVE-2014-1683 6.8
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name,
25-05-2016 - 11:16 29-01-2014 - 13:55
CVE-2007-5992 7.5
SQL injection vulnerability in index.php in datecomm Social Networking Script (aka Myspace Clone Script) allows remote attackers to execute arbitrary SQL commands via the seid parameter in a viewcat s action on the forums page.
11-05-2016 - 12:06 15-11-2007 - 17:46
CVE-2014-3704 7.5
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
31-03-2016 - 13:36 15-10-2014 - 20:55
CVE-2015-8279 5.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an unspecified PHP script.
20-01-2016 - 14:53 14-01-2016 - 22:59
CVE-2015-8566 7.5
The Session package 1.x before 1.3.1 for Joomla! Framework allows remote attackers to execute arbitrary code via unspecified session values.
17-12-2015 - 12:32 16-12-2015 - 16:59
CVE-2014-5193 4.3
Cross-site scripting (XSS) vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the category parameter. NOTE: the url parameter vector is already covered by CVE-2014-5082.
04-12-2015 - 11:18 07-08-2014 - 07:13
CVE-2015-1494 4.3
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as d
27-11-2015 - 14:20 17-02-2015 - 10:59
CVE-2008-2566 4.3
Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the group parameter to (1) index.php or (2) the default URI.
27-11-2015 - 12:16 06-06-2008 - 14:32
CVE-2008-2565 7.5
Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php. NOTE: it was later reported that 4.0.x is also affected.
27-11-2015 - 12:16 06-06-2008 - 14:32
CVE-2015-7808 7.5
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/h
25-11-2015 - 15:23 24-11-2015 - 15:59
CVE-2008-4157 7.5
SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 1.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2007-3610. NOTE: it was later reported that 1.2.3 is also affected.
24-11-2015 - 13:07 22-09-2008 - 14:34
CVE-2008-2335 4.3
Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party info
24-11-2015 - 11:45 19-05-2008 - 09:20
CVE-2015-1365 5.0
Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
23-11-2015 - 13:32 27-01-2015 - 15:04
CVE-2014-7176 6.5
SQL injection vulnerability in Enalean Tuleap before 7.5.99.4 allows remote authenticated users to execute arbitrary SQL commands via the lobal_txt parameter to plugins/docman.
20-11-2015 - 11:26 04-11-2014 - 10:55
CVE-2014-8690 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src para
19-11-2015 - 12:24 19-02-2015 - 10:59
CVE-2015-1518 7.5
SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
19-11-2015 - 11:55 11-02-2015 - 14:59
CVE-2014-1222 4.0
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that thi
19-11-2015 - 11:54 12-08-2014 - 19:55
CVE-2014-5460 6.5
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-
16-11-2015 - 23:07 11-09-2014 - 11:55
CVE-2014-5082 7.5
Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Sphider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.
04-11-2015 - 11:32 06-08-2014 - 14:55
CVE-2014-3085 7.1
systest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the lpres parameter.
02-11-2015 - 12:56 17-08-2014 - 19:55
CVE-2014-3081 6.3
prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter.
02-11-2015 - 12:56 17-08-2014 - 19:55
CVE-2014-1695 4.3
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.
13-10-2015 - 12:35 28-02-2014 - 19:01
CVE-2014-2579 7.6
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to inde
08-10-2015 - 10:50 25-04-2014 - 16:55
CVE-2014-4960 7.5
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid
05-10-2015 - 22:37 21-07-2014 - 10:55
CVE-2014-6446 7.5
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.
01-10-2015 - 13:08 26-09-2014 - 17:55
CVE-2015-3203 7.5
Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the href
29-09-2015 - 15:25 28-09-2015 - 12:59
CVE-2014-3871 7.5
Multiple SQL injection vulnerabilities in register.php in Geodesic Solutions GeoCore MAX 7.3.3 (formerly GeoClassifieds and GeoAuctions) allow remote attackers to execute arbitrary SQL commands via the (1) c[password] or (2) c[username] parameter. N
29-09-2015 - 14:48 27-05-2014 - 09:55
CVE-2015-7382 7.5
SQL injection vulnerability in install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary SQL commands via the defaultCharacterSet parameter, a different issue than CVE-2015-6009.
28-09-2015 - 21:07 27-09-2015 - 22:59
CVE-2015-7381 7.5
Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different i
28-09-2015 - 21:06 27-09-2015 - 22:59
CVE-2015-6009 7.5
Multiple SQL injection vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary SQL commands via (1) the where parameter to rss.php or (2) the sqlQuery parameter to search.php, a different issu
28-09-2015 - 20:52 27-09-2015 - 22:59
CVE-2015-6008 7.5
install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary commands via the adminPassword parameter, a different issue than CVE-2015-7381.
28-09-2015 - 20:51 27-09-2015 - 22:59
CVE-2015-7309 6.5
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.
23-09-2015 - 15:15 22-09-2015 - 11:59
CVE-2015-6965 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a f
17-09-2015 - 14:21 16-09-2015 - 10:59
CVE-2015-6810 3.5
Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_locatio
04-09-2015 - 14:59 04-09-2015 - 11:59
CVE-2014-9605 9.4
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) chara
04-09-2015 - 14:31 04-09-2015 - 11:59
CVE-2015-6809 4.3
Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter
04-09-2015 - 14:26 04-09-2015 - 11:59
CVE-2014-3080 4.3
Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the
02-09-2015 - 12:55 17-08-2014 - 19:55
CVE-2006-3823 5.1
SQL injection vulnerability in index.php in GeodesicSolutions (1) GeoAuctions Premier 2.0.3 and (2) GeoClassifieds Basic 2.0.3 allows remote attackers to execute arbitrary SQL commands via the b parameter.
01-09-2015 - 12:59 25-07-2006 - 09:22
CVE-2014-3544 3.5
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via th
31-08-2015 - 14:09 29-07-2014 - 07:10
CVE-2014-4710 4.3
Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.
28-08-2015 - 12:35 29-07-2014 - 10:55
CVE-2015-6519 7.5
SQL injection vulnerability in Arab Portal 3 allows remote attackers to execute arbitrary SQL commands via the showemail parameter in a signup action to members.php.
20-08-2015 - 13:38 18-08-2015 - 14:00
CVE-2015-6512 5.0
SQL injection vulnerability in the get_messages function in server/plugins/chatroom/chatroom.php in FreiChat 9.6 allows remote attackers to execute arbitrary SQL commands via the time parameter to server/freichat.php.
19-08-2015 - 19:10 18-08-2015 - 11:59
CVE-2015-6516 6.5
SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php.
19-08-2015 - 14:51 18-08-2015 - 11:59
CVE-2015-4666 5.0
Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attackers to read arbitrary files via a ....// (quadruple dot double slash) in the logFile parameter.
13-08-2015 - 14:29 13-08-2015 - 10:59
CVE-2015-4665 4.3
Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.4.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the fileName parameter.
13-08-2015 - 14:25 13-08-2015 - 10:59
CVE-2014-0793 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website or (2) latitude parameter in a comment to
13-08-2015 - 13:49 30-01-2014 - 13:55
CVE-2015-4616 5.0
Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter.
11-08-2015 - 10:46 08-07-2015 - 12:59
CVE-2015-4614 7.5
Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-
11-08-2015 - 10:46 08-07-2015 - 12:59
CVE-2014-8954 4.3
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.ph
06-08-2015 - 12:45 17-11-2014 - 11:59
CVE-2014-2009 5.0
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
05-08-2015 - 12:34 12-09-2014 - 10:55
CVE-2014-2008 7.5
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.
05-08-2015 - 12:34 12-09-2014 - 10:55
CVE-2014-3247 4.3
Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the desc parameter in an Add project (addpro) action to admin.php.
31-07-2015 - 21:38 15-05-2014 - 10:55
CVE-2013-2639 4.3
Cross-site scripting (XSS) vulnerability in CTERA Cloud Storage OS before 3.2.29.0, 3.2.42.0, and earlier allows remote attackers to inject arbitrary web script or HTML via the description in a project folder.
30-07-2015 - 10:43 11-02-2014 - 12:55
CVE-2015-2183 7.5
Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an
28-07-2015 - 11:05 10-03-2015 - 10:59
CVE-2013-6872 6.5
SQL injection vulnerability in managetimetracker.php in Collabtive before 1.2 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a projectpdf action.
28-07-2015 - 10:49 21-01-2014 - 10:17
CVE-2008-6844 7.5
The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, Con
27-07-2015 - 14:36 02-07-2009 - 06:30
CVE-2013-6058 7.5
SQL injection vulnerability in appRain CMF 3.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to blog-by-cat/.
27-07-2015 - 12:11 14-11-2013 - 15:55
CVE-2015-5530 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/crea
21-07-2015 - 07:26 16-07-2015 - 11:59
CVE-2015-5529 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to das
21-07-2015 - 07:25 16-07-2015 - 11:59
CVE-2015-1579 5.0
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerab
14-07-2015 - 14:22 11-02-2015 - 14:59
CVE-2014-9734 5.0
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php
01-07-2015 - 11:12 30-06-2015 - 10:59
CVE-2015-4018 6.5
SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the link_ids[] parameter in an Update action in t
25-06-2015 - 12:22 21-05-2015 - 16:59
CVE-2015-3337 4.3
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
25-06-2015 - 12:07 01-05-2015 - 11:59
CVE-2015-3325 7.5
SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI.
25-06-2015 - 11:50 15-05-2015 - 14:59
CVE-2015-4658 7.5
Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm Clone Script 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) usr or (2) pwd parameter.
19-06-2015 - 10:37 18-06-2015 - 14:59
CVE-2015-4465 4.3
Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
11-06-2015 - 13:47 10-06-2015 - 14:59
CVE-2015-4066 6.5
Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) show_artist_id or (2) show_venue_id parameter in an add acti
02-06-2015 - 10:08 27-05-2015 - 14:59
CVE-2015-4065 3.5
Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/po
28-05-2015 - 10:57 27-05-2015 - 14:59
CVE-2015-4064 6.5
SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-ad
28-05-2015 - 10:56 27-05-2015 - 14:59
CVE-2015-4063 3.5
Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-a
28-05-2015 - 10:55 27-05-2015 - 14:59
CVE-2015-4062 6.5
SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php.
28-05-2015 - 10:54 27-05-2015 - 14:59
CVE-2012-4902 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php
21-05-2015 - 11:32 20-05-2015 - 15:59
CVE-2012-5849 7.5
Multiple SQL injection vulnerabilities in ClipBucket 2.6 Revision 738 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) uid parameter in an add_friend action to ajax.php; id parameter in a (2) share_object, (3) add_to_f
15-05-2015 - 09:27 14-05-2015 - 10:59
CVE-2014-9258 6.5
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
17-04-2015 - 21:59 19-12-2014 - 10:59
CVE-2014-9146 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) id, (3) page, or (4) app parameter to the default URI or the (5) act parameter to dapur/index.
15-04-2015 - 11:11 14-04-2015 - 10:59
CVE-2014-9145 7.5
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an edit action to dapur/index.php; (2) cat, (3) user, or (4) level parameter to dapur/apps/app_article/con
15-04-2015 - 09:20 14-04-2015 - 10:59
CVE-2014-9445 7.5
SQL injection vulnerability in incl/create.inc.php in Installatron GQ File Manager 0.2.5 allows remote attackers to execute arbitrary SQL commands via the create parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) atta
06-04-2015 - 12:55 02-01-2015 - 15:59
CVE-2014-100003 7.5
SQL injection vulnerability in includes/ym-download_functions.include.php in the Code Futures YourMembers plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ym_download_id parameter to the default URI.
24-03-2015 - 16:49 13-01-2015 - 06:59
CVE-2014-9261 5.0
The sanitize function in Codoforum 2.5.1 does not properly implement filtering for directory traversal sequences, which allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to index.php.
24-03-2015 - 10:45 23-03-2015 - 12:59
CVE-2015-2564 6.5
SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to users-edit.php.
23-03-2015 - 09:30 20-03-2015 - 10:59
CVE-2015-2208 7.5
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.
12-03-2015 - 12:42 12-03-2015 - 10:59
CVE-2015-2182 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. NOTE: The sea
11-03-2015 - 15:38 11-03-2015 - 10:59
CVE-2010-5322 4.3
Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php.
11-03-2015 - 11:05 11-03-2015 - 10:59
CVE-2015-2184 5.0
ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function.
11-03-2015 - 10:55 10-03-2015 - 10:59
CVE-2015-2199 6.5
Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-a
04-03-2015 - 14:14 03-03-2015 - 14:59
CVE-2015-2198 4.3
Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly hand
04-03-2015 - 14:13 03-03-2015 - 14:59
CVE-2015-2196 7.5
SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.
04-03-2015 - 14:11 03-03-2015 - 14:59
CVE-2015-1587 7.5
Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a reques
20-02-2015 - 20:33 19-02-2015 - 10:59
CVE-2014-9101 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (X
18-02-2015 - 13:53 26-11-2014 - 10:59
CVE-2015-1577 6.4
Directory traversal vulnerability in u5admin/deletefile.php in u5CMS before 3.9.4 allows remote attackers to write to arbitrary files via a (1) .. (dot dot) or (2) full pathname in the f parameter.
12-02-2015 - 12:53 11-02-2015 - 14:59
CVE-2015-1575 4.3
Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php;
12-02-2015 - 12:51 11-02-2015 - 14:59
CVE-2015-1476 7.5
Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2) username or (3) password parameter to __admin/index.php.
04-02-2015 - 14:40 04-02-2015 - 11:59
CVE-2015-1428 7.5
Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands vi
04-02-2015 - 11:59 03-02-2015 - 11:59
CVE-2015-1422 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak
02-02-2015 - 11:52 29-01-2015 - 10:59
CVE-2015-1424 6.8
Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php.
30-01-2015 - 14:05 29-01-2015 - 10:59
CVE-2015-1423 6.5
Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php.
30-01-2015 - 14:04 29-01-2015 - 10:59
CVE-2015-1376 4.0
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.
28-01-2015 - 12:05 28-01-2015 - 06:59
CVE-2015-1375 7.5
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
28-01-2015 - 11:50 28-01-2015 - 06:59
CVE-2015-1364 7.5
SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.
28-01-2015 - 10:53 27-01-2015 - 15:04
CVE-2014-6242 6.5
Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp
26-01-2015 - 13:53 02-10-2014 - 10:55
CVE-2015-1060 5.8
Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
20-01-2015 - 09:20 16-01-2015 - 10:59
CVE-2015-1059 6.5
Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/u
20-01-2015 - 09:02 16-01-2015 - 10:59
CVE-2015-1058 4.3
Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/
20-01-2015 - 09:01 16-01-2015 - 10:59
CVE-2015-1057 4.3
Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.
20-01-2015 - 09:00 16-01-2015 - 10:59
CVE-2015-1054 3.5
Cross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game.
20-01-2015 - 08:58 16-01-2015 - 10:59
CVE-2014-9308 6.5
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an
16-01-2015 - 11:29 15-01-2015 - 10:59
CVE-2014-10033 6.5
SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.
14-01-2015 - 16:50 13-01-2015 - 10:59
CVE-2014-10034 6.5
Multiple SQL injection vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to execute arbitrary SQL commands via the (1) iDisplayLength or (2) iDisplayStart parameter to (a) comments_paginate.php or (b) stores_pagi
14-01-2015 - 16:50 13-01-2015 - 10:59
CVE-2014-10035 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to inject arbitrary web script or HTML via the (1) sEcho parameter to comments_paginate.php or (2) stores_paginate.php or the
14-01-2015 - 16:42 13-01-2015 - 10:59
CVE-2014-100011 7.5
SQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote attackers to execute arbitrary SQL commands via the c parameter.
14-01-2015 - 16:38 13-01-2015 - 10:59
CVE-2014-10032 6.5
SQL injection vulnerability in news_popup.php in Taboada MacroNews 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
14-01-2015 - 16:37 13-01-2015 - 10:59
CVE-2014-10038 7.5
SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.
14-01-2015 - 15:11 13-01-2015 - 10:59
CVE-2014-10037 7.5
Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.
14-01-2015 - 15:10 13-01-2015 - 10:59
CVE-2014-100020 7.5
SQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.03.057 allows remote attackers to execute arbitrary SQL commands via the PreviewNum parameter. NOTE: the CatID parameter is already covered by CVE-2008-0685.
14-01-2015 - 14:50 13-01-2015 - 10:59
CVE-2014-100017 4.3
Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.
14-01-2015 - 14:48 13-01-2015 - 10:59
CVE-2014-100012 7.5
SQL injection vulnerability in /app in Sendy 1.1.8.4 allows remote attackers to execute arbitrary SQL commands via the i parameter.
14-01-2015 - 14:45 13-01-2015 - 10:59
CVE-2014-10023 7.5
Multiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.
13-01-2015 - 19:29 13-01-2015 - 06:59
CVE-2014-10020 7.5
SQL injection vulnerability in login.php in Simple e-document 1.31 allows remote attackers to execute arbitrary SQL commands via the username parameter.
13-01-2015 - 19:27 13-01-2015 - 06:59
CVE-2014-10013 7.5
SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.
13-01-2015 - 19:15 13-01-2015 - 06:59
CVE-2014-10010 5.0
Directory traversal vulnerability in PHPJabbers Appointment Scheduler 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter in a pjActionDownload action to the pjBackup controller.
13-01-2015 - 19:03 13-01-2015 - 06:59
CVE-2014-10001 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Appointment Scheduler 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the i18n[1][
13-01-2015 - 18:02 13-01-2015 - 06:59
CVE-2014-100002 5.0
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
13-01-2015 - 15:48 13-01-2015 - 06:59
CVE-2014-8810 6.5
SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter in a getMailMessage action.
12-01-2015 - 02:12 24-12-2014 - 13:59
CVE-2014-4644 7.5
SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter.
12-01-2015 - 02:10 25-06-2014 - 16:55
CVE-2014-9582 4.3
Cross-site scripting (XSS) vulnerability in components/filemanager/dialog.php in Codiad 2.4.3 allows remote attackers to inject arbitrary web script or HTML via the short_name parameter in a rename action. NOTE: this issue was originally incorrectly
10-01-2015 - 21:59 08-01-2015 - 15:59
CVE-2014-9581 5.0
Directory traversal vulnerability in components/filemanager/download.php in Codiad 2.4.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. NOTE: this issue was originally incorrectly mapped to CVE-2014-1137; s
10-01-2015 - 21:59 08-01-2015 - 15:59
CVE-2014-9580 4.3
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) r561 allows remote attackers to inject arbitrary web script or HTML via the Description field in a file upload. NOTE: this issue was originally incorrectly mapped to CVE-2014-11
10-01-2015 - 21:59 08-01-2015 - 14:59
CVE-2014-9440 7.5
SQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the category parameter.
10-01-2015 - 21:59 02-01-2015 - 14:59
CVE-2011-3713 5.0
cFTP r80 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by templates/session_check.php and certain other files.
09-01-2015 - 21:59 23-09-2011 - 19:55
CVE-2014-1155
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9580. Reason: This candidate is not authorized for use because it is part of the 2014 CVE-ID ID-Syntax protection block, which protects against accidental truncation of CVE IDs wi
09-01-2015 - 19:59 09-01-2015 - 19:59
CVE-2014-1137
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9445, CVE-2014-9581, CVE-2014-9582. Reason: This candidate is not authorized for use because it is part of the 2014 CVE-ID ID-Syntax protection block, which protects against accid
09-01-2015 - 19:59 09-01-2015 - 19:59
CVE-2014-9567 7.5
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to th
08-01-2015 - 14:19 07-01-2015 - 13:59
CVE-2014-2223 7.5
Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then acce
08-01-2015 - 08:41 11-09-2014 - 10:16
CVE-2014-9528 7.5
SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter
06-01-2015 - 14:58 06-01-2015 - 10:59
CVE-2014-9522 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light 6.0.0 (Rev 4701) allow remote attackers to inject arbitrary web script or HTML via the (1) author field to guestbook.php or (2) username field to account.php.
06-01-2015 - 11:55 05-01-2015 - 15:59
CVE-2014-9516 4.3
Cross-site scripting (XSS) vulnerability in Social Microblogging PRO 1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI, related to the "Web Site" input in the Profile section.
06-01-2015 - 11:48 05-01-2015 - 15:59
CVE-2014-2598 6.8
Cross-site request forgery (CSRF) vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via
06-01-2015 - 11:42 05-01-2015 - 15:59
CVE-2014-9457 6.5
SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php.
05-01-2015 - 18:41 02-01-2015 - 15:59
CVE-2014-9439 4.3
Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp.
05-01-2015 - 16:14 02-01-2015 - 14:59
CVE-2012-1415 6.8
Cross-site request forgery (CSRF) vulnerability in lib/logout.php in DFLabs PTK 1.0.5 and earlier allows remote attackers to hijack the authentication of administrators or investigators for requests that trigger a logout.
29-12-2014 - 11:31 27-12-2014 - 21:59
CVE-2012-1203 6.8
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.
29-12-2014 - 11:20 27-12-2014 - 19:59
CVE-2014-9348 7.5
SQL injection vulnerability in the formulaireRobot function in admin/robots.lib.php in RobotStats 1.0 allows remote attackers to execute arbitrary SQL commands via the robot parameter to admin/robots.php.
23-12-2014 - 12:10 08-12-2014 - 11:59
CVE-2014-9347 7.5
SQL injection vulnerability in dosearch.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the words_exact parameter.
16-12-2014 - 11:37 08-12-2014 - 11:59
CVE-2014-9305 6.5
SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_p
09-12-2014 - 13:21 08-12-2014 - 11:59
CVE-2014-9178 7.5
Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the
08-12-2014 - 10:25 02-12-2014 - 11:59
CVE-2014-8800 4.3
Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_up
05-12-2014 - 14:17 05-12-2014 - 10:59
CVE-2014-9173 7.5
SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.
03-12-2014 - 15:00 02-12-2014 - 11:59
CVE-2014-9175 7.5
SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.
03-12-2014 - 13:42 02-12-2014 - 11:59
CVE-2014-8801 5.0
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax
28-11-2014 - 14:13 28-11-2014 - 10:59
CVE-2014-8799 5.0
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
28-11-2014 - 14:08 28-11-2014 - 10:59
CVE-2014-9097 7.5
Multiple SQL injection vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly as distributed before 2014-07-23, for WordPress allow (1) remote attackers to execute arbitrary SQL commands via the vid paramete
28-11-2014 - 09:10 26-11-2014 - 10:59
CVE-2014-8469 4.3
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.
24-11-2014 - 10:31 21-11-2014 - 10:59
CVE-2014-9005 7.5
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via the (1) country, (2) gender1, or ((3) gender2 parameter in a search action to index.php.
20-11-2014 - 10:09 20-11-2014 - 08:55
CVE-2014-9004 4.3
Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php.
20-11-2014 - 10:07 20-11-2014 - 08:55
CVE-2014-8997 7.5
Unrestricted file upload vulnerability in the Photo functionality in DigitalVidhya Digi Online Examination System 2.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct r
20-11-2014 - 09:55 20-11-2014 - 08:55
CVE-2014-8998 6.5
lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the preg_replace function with the eval switch.
20-11-2014 - 09:43 20-11-2014 - 08:55
CVE-2012-6665 4.3
Directory traversal vulnerability in index.php in phpMoneyBooks 1.0.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, a different vulnerability than CVE-2012-1669. NOTE: the provenance of this information is
18-11-2014 - 11:54 17-11-2014 - 17:59
CVE-2014-2268 5.0
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by ex
18-11-2014 - 11:52 15-11-2014 - 20:59
CVE-2012-1669 4.3
Directory traversal vulnerability in index.php in phpMoneyBooks before 1.0.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
18-11-2014 - 07:52 17-11-2014 - 17:59
CVE-2014-8949 6.0
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to allow remote
17-11-2014 - 21:04 16-11-2014 - 06:59
CVE-2014-8953 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scriptlerim Who's Who script allow remote attackers to hijack the authentication of administrators or requests that (1) add an admin account via a request to filepath/yonetim/plugin/ad
17-11-2014 - 17:57 17-11-2014 - 11:59
CVE-2014-8596 7.5
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/adm
17-11-2014 - 17:42 17-11-2014 - 11:59
CVE-2014-8948 6.8
Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace param
17-11-2014 - 11:30 16-11-2014 - 06:59
CVE-2014-8770 9.0
Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file t
14-11-2014 - 10:27 13-11-2014 - 16:32
CVE-2014-5519 7.5
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party informatio
13-11-2014 - 17:51 11-09-2014 - 10:16
CVE-2014-8586 7.5
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter.
10-11-2014 - 11:16 04-11-2014 - 10:55
CVE-2013-7057 6.8
Cross-site request forgery (CSRF) vulnerability in Axway SecureTransport 5.1 SP2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that upload arbitrary files via a crafted request to api/v1.0/files/.
05-11-2014 - 08:38 04-11-2014 - 10:55
CVE-2014-8577 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) dat
03-11-2014 - 20:09 31-10-2014 - 10:55
CVE-2014-5520 7.5
SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remote attackers to execute arbitrary SQL commands via the user_id parameter to plugins/webform/new-form.php, which is not properly handled by plugins/useradmin/fingeruser.php.
30-10-2014 - 21:11 26-10-2014 - 16:55
CVE-2014-5275 6.5
Multiple SQL injection vulnerabilities in includes/functions.php in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) password, (2) email, or (3) id parameter.
24-10-2014 - 20:22 20-10-2014 - 12:55
CVE-2014-2531 6.5
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search a
24-10-2014 - 14:02 21-10-2014 - 12:55
CVE-2012-5242 6.8
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.
24-10-2014 - 13:57 21-10-2014 - 10:55
CVE-2012-5243 5.0
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.
24-10-2014 - 13:26 21-10-2014 - 10:55
CVE-2014-8380 4.3
Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regres
24-10-2014 - 09:08 21-10-2014 - 11:55
CVE-2014-5276 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php.
22-10-2014 - 21:16 20-10-2014 - 12:55
CVE-2012-5244 7.5
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to fu
22-10-2014 - 15:30 20-10-2014 - 10:55
CVE-2014-6312 4.3
Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site sc
22-10-2014 - 13:33 15-10-2014 - 10:55
CVE-2014-8295 7.5
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
21-10-2014 - 21:40 15-10-2014 - 10:55
CVE-2014-2880 5.8
Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the
17-10-2014 - 03:12 17-04-2014 - 10:55
CVE-2014-5308 9.0
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
09-10-2014 - 08:55 08-10-2014 - 13:55
CVE-2014-6389 7.5
backup.php in PHPCompta/NOALYSS before 6.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the d parameter.
07-10-2014 - 21:47 06-10-2014 - 19:55
CVE-2014-6607 7.5
M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability tha
07-10-2014 - 19:18 06-10-2014 - 19:55
CVE-2014-6409 6.8
Cross-site request forgery (CSRF) vulnerability in M/Monit 3.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that change user passwords via the fullname and password parameters to /admin/users/updat
07-10-2014 - 19:17 06-10-2014 - 19:55
CVE-2014-6619 4.3
Multiple cross-site scripting (XSS) vulnerabilities in register-exec.php in Restaurant Script (PizzaInn_Project) 1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fname, (2) lname, or (3) login parameter.
01-10-2014 - 15:40 30-09-2014 - 12:55
CVE-2013-2586 4.3
XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method.
30-09-2014 - 14:07 29-09-2014 - 18:55
CVE-2012-5700 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox
24-09-2014 - 11:41 22-09-2014 - 11:55
CVE-2012-2583 4.3
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.
18-09-2014 - 11:02 17-09-2014 - 10:55
CVE-2012-4240 6.5
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.
11-09-2014 - 12:52 11-09-2014 - 10:16
CVE-2012-0984 4.3
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target par
11-09-2014 - 12:46 11-09-2014 - 10:16
CVE-2014-5465 5.0
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
03-09-2014 - 16:15 03-09-2014 - 15:55
CVE-2014-5521 6.5
plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter.
03-09-2014 - 10:15 02-09-2014 - 10:55
CVE-2012-1503 4.3
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
02-09-2014 - 10:42 29-08-2014 - 09:55
CVE-2014-5115 5.0
Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php.
27-08-2014 - 01:37 29-07-2014 - 10:55
CVE-2014-5347 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attack
20-08-2014 - 13:20 19-08-2014 - 15:55
CVE-2014-5346 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin 2.77 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) activate or (2) deactivate the plugin via th
20-08-2014 - 13:18 19-08-2014 - 15:55
CVE-2014-5345 4.3
Cross-site scripting (XSS) vulnerability in upgrade.php in the Disqus Comment System plugin before 2.76 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter.
20-08-2014 - 13:17 19-08-2014 - 15:55
CVE-2011-2944 7.5
SQL injection vulnerability in login.php in MegaLab The Uploader before 2.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter.
13-08-2014 - 14:12 12-08-2014 - 16:55
CVE-2014-5194 6.5
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
07-08-2014 - 10:30 07-08-2014 - 07:13
CVE-2014-5192 7.5
SQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to execute arbitrary SQL commands via the filter parameter.
07-08-2014 - 10:28 07-08-2014 - 07:13
CVE-2014-5100 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cro
28-07-2014 - 11:55 25-07-2014 - 15:55
CVE-2012-6506 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web Shop plugin 2.4.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in zing.inc.php or (2) notes parameter in fws/pages-front/
24-07-2014 - 00:46 23-01-2013 - 20:55
CVE-2014-4663 6.8
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
15-07-2014 - 15:25 15-07-2014 - 10:55
CVE-2014-4718 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CMS before 3.3-3 allow remote attackers to hijack the authentication of administrators for requests that (1) add Super users via a request to admin/user_create.php or conduct cross-s
07-07-2014 - 10:10 03-07-2014 - 10:55
CVE-2014-4688 6.5
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img
02-07-2014 - 15:20 02-07-2014 - 06:35
CVE-2014-3842 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) decrypt or (2) encrypt parameter.
27-06-2014 - 12:56 22-05-2014 - 11:13
CVE-2013-1668 8.5
The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.
27-06-2014 - 12:35 23-05-2014 - 10:55
CVE-2012-2580 4.3
Cross-site scripting (XSS) vulnerability in the Postie plugin 1.4.3, and possibly before 1.5.15, for WordPress allows remote attackers to inject arbitrary web script or HTML via the From field of an email.
23-06-2014 - 10:32 20-06-2014 - 10:55
CVE-2012-2579 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the WP SimpleMail plugin 1.0.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) To, (2) From, (3) Date, or (4) Subject field of an email.
23-06-2014 - 10:22 20-06-2014 - 10:55
CVE-2012-2572 4.3
Cross-site scripting (XSS) vulnerability in the ThreeWP Email Reflector plugin before 1.16 for WordPress allows remote attackers to inject arbitrary web script or HTML via the Subject of an email.
20-06-2014 - 10:24 19-06-2014 - 10:55
CVE-2014-3962 7.5
Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow remote attackers to execute arbitrary SQL commands via the url parameter to (1) videocat.php or (2) single.php.
18-06-2014 - 00:33 04-06-2014 - 10:55
CVE-2014-4166 4.3
Cross-site scripting (XSS) vulnerability in the song history in SHOUTcast DNAS 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the mp3 title field.
17-06-2014 - 10:58 16-06-2014 - 14:55
CVE-2014-4033 4.3
Cross-site scripting (XSS) vulnerability in libraries/includes/personal/profile.php in Epignosis eFront 3.6.14.4 allows remote attackers to inject arbitrary web script or HTML via the surname parameter to student.php.
12-06-2014 - 13:46 11-06-2014 - 10:55
CVE-2013-3739 5.0
Directory traversal vulnerability in editor.php in Network Weathermap 0.97c and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the mapname parameter in a show_config action.
06-06-2014 - 12:08 05-06-2014 - 16:55
CVE-2013-2618 4.3
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
06-06-2014 - 12:07 05-06-2014 - 16:55
CVE-2014-3975 5.0
Absolute path traversal vulnerability in filemanager.php in AuraCMS 3.0 allows remote attackers to list a directory via a full pathname in the viewdir parameter.
06-06-2014 - 10:56 05-06-2014 - 13:55
CVE-2014-3974 4.3
Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the viewdir parameter.
06-06-2014 - 10:54 05-06-2014 - 13:55
CVE-2014-3961 7.5
SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an "output CSV" action to pdb-signup/.
05-06-2014 - 10:48 04-06-2014 - 10:55
CVE-2009-1621 5.0
Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the route parameter.
04-06-2014 - 23:34 12-05-2009 - 12:30
CVE-2013-7387 6.8
Session fixation vulnerability in DataLife Engine (DLE) 9.7 and earlier allows remote attackers to hijack web sessions via the PHPSESSID cookie.
03-06-2014 - 09:10 02-06-2014 - 11:55
CVE-2013-1412 7.5
DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.
03-06-2014 - 08:27 02-06-2014 - 11:55
CVE-2013-2712 4.3
Cross-site scripting (XSS) vulnerability in services/get_article.php in KrisonAV CMS before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter.
29-05-2014 - 19:44 23-05-2014 - 10:55
CVE-2013-2713 6.8
Cross-site request forgery (CSRF) vulnerability in users_maint.html in KrisonAV CMS before 3.0.2 allows remote attackers to hijack the authentication of administrators for requests that create user accounts via a crafted request.
29-05-2014 - 19:44 23-05-2014 - 10:55
CVE-2013-2225 6.4
inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php.
28-05-2014 - 13:07 27-05-2014 - 10:55
CVE-2014-3849 4.3
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to delete arbitrary users via a request containing a user name in the Email parameter and the API key in the i4w_clearuser pa
27-05-2014 - 10:36 23-05-2014 - 10:55
CVE-2014-3848 5.0
The iMember360 plugin before 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to obtain database credentials via the i4w_dbinfo parameter.
27-05-2014 - 10:34 23-05-2014 - 10:55
CVE-2014-3225 4.0
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.
16-05-2014 - 00:26 13-05-2014 - 20:55
CVE-2008-5587 4.3
Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
15-05-2014 - 23:22 16-12-2008 - 14:07
CVE-2013-7376 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.10, possibly before revision 82710, allow remote attackers to hijack the authentication of administrators, as demonstrated by requests that conduct directory traversal attacks vi
15-05-2014 - 11:00 14-05-2014 - 15:55
CVE-2013-3514 4.3
Multiple directory traversal vulnerabilities in OpenX before 2.8.10 revision 82710 allow remote administrators to read arbitrary files via a .. (dot dot) in the group parameter to (1) plugin-preferences.php or (2) plugin-settings.php in www/admin, a
15-05-2014 - 09:01 14-05-2014 - 15:55
CVE-2014-3246 6.5
SQL injection vulnerability in Collabtive 1.2 allows remote authenticated users to execute arbitrary SQL commands via the folder parameter in a fileview_list action to manageajax.php.
14-05-2014 - 11:40 13-05-2014 - 10:55
CVE-2014-0794 4.3
SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action to index.php.
05-05-2014 - 01:32 26-01-2014 - 15:55
CVE-2013-6164 7.5
SQL injection vulnerability in view/objectDetail.php in Project'Or RIA 3.4.0 allows remote attackers to execute arbitrary SQL commands via the objectId parameter.
05-05-2014 - 01:29 14-11-2013 - 15:55
CVE-2014-2996 7.1
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. N
28-04-2014 - 08:03 25-04-2014 - 16:55
CVE-2014-2341 6.8
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
22-04-2014 - 13:04 22-04-2014 - 09:06
CVE-2014-2340 6.8
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create website backups via a request to wp-admin/plugins.php.
19-04-2014 - 00:48 03-04-2014 - 12:15
CVE-2014-2540 7.5
SQL injection vulnerability in OrbitScripts Orbit Open Ad Server before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the site_directory_sort_field parameter to guest/site_directory.
14-04-2014 - 10:27 11-04-2014 - 10:55
CVE-2011-5278 7.5
SQL injection vulnerability in signature.php in Advanced Forum Signatures plugin (aka afsignatures) 2.0.4 for MyBB allows remote attackers to execute arbitrary SQL commands via the afs_bar_right parameter.
08-04-2014 - 11:46 08-04-2014 - 10:22
CVE-2011-5277 7.5
Multiple SQL injection vulnerabilities in signature.php in the Advanced Forum Signatures (aka afsignatures) plugin 2.0.4 for MyBB allow remote attackers to execute arbitrary SQL commands via the (1) afs_type, (2) afs_background, (3) afs_showonline, (
08-04-2014 - 11:46 08-04-2014 - 10:22
CVE-2013-6720 5.5
Directory traversal vulnerability in download.php in the Passive Capture Application (PCA) web console in IBM Tealeaf CX 7.x, 8.x through 8.6, 8.7 before FP2, and 8.8 before FP2 allows remote authenticated users to bypass intended access restrictions
01-04-2014 - 02:26 06-03-2014 - 06:55
CVE-2013-6719 6.0
delivery.php in the Passive Capture Application (PCA) web console in IBM Tealeaf CX 7.x, 8.x through 8.6, 8.7 before FP2, and 8.8 before FP2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the testconn_host
01-04-2014 - 02:26 06-03-2014 - 06:55
CVE-2013-5117 7.5
SQL injection vulnerability in the RSS page (DNNArticleRSS.aspx) in the ZLDNN DNNArticle module before 10.1 for DotNetNuke allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
13-03-2014 - 12:06 12-03-2014 - 10:55
CVE-2013-5639 7.5
Directory traversal vulnerability in users/login.php in Gnew 2013.1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the gnew_language cookie.
12-03-2014 - 14:03 11-03-2014 - 15:37
CVE-2013-2754 6.8
Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.
11-03-2014 - 20:47 11-03-2014 - 15:37
CVE-2014-1944 4.3
Cross-site scripting (XSS) vulnerability in Ilch CMS 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the text parameter to index.php/guestbook/index/newentry.
10-03-2014 - 12:14 09-03-2014 - 09:16
CVE-2013-6233 4.3
Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata."
10-03-2014 - 10:57 09-03-2014 - 09:16
CVE-2013-6232 3.5
Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via a document note in the execution page.
10-03-2014 - 10:56 09-03-2014 - 09:16
CVE-2014-1854 7.5
SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.
07-03-2014 - 15:42 27-02-2014 - 10:55
CVE-2013-3242 5.5
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and caus
07-03-2014 - 08:46 03-05-2013 - 07:57
CVE-2013-6936 7.5
Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.
25-02-2014 - 13:19 04-12-2013 - 13:56
CVE-2013-6881 10.0
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
25-02-2014 - 13:11 07-01-2014 - 12:04
CVE-2013-7137 7.5
The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.
24-02-2014 - 21:07 25-01-2014 - 20:55
CVE-2013-6884 10.0
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges.
24-02-2014 - 20:44 07-01-2014 - 12:04
CVE-2013-1466 4.3
Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6)
24-02-2014 - 17:05 05-02-2014 - 10:10
CVE-2013-4898 6.5
Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it vi
21-02-2014 - 14:06 29-01-2014 - 13:55
CVE-2014-1459 6.5
SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the _position_down_id parameter. NOTE: this can be leveraged using CSRF to allow remot
21-02-2014 - 00:06 11-02-2014 - 12:55
CVE-2014-1401 6.5
Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search parameter to mod/content/content.php or (2) CLIENT_IP, (3) X_FORWARDED_FOR, (4) X_FORWARDED, (5) F
21-02-2014 - 00:06 11-02-2014 - 12:55
CVE-2014-1206 7.5
SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.
21-02-2014 - 00:06 15-01-2014 - 11:08
CVE-2013-7319 4.3
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.
21-02-2014 - 00:06 06-02-2014 - 11:10
CVE-2013-1852 7.5
SQL injection vulnerability in leaguemanager.php in the LeagueManager plugin before 3.8.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the league_id parameter in the leaguemanager-export page to wp-admin/admin.php.
05-02-2014 - 13:13 05-02-2014 - 10:10
CVE-2013-2594 7.5
SQL injection vulnerability in reports/calldiary.php in Hornbill Supportworks ITSM 1.0.0 through 3.4.14 allows remote attackers to execute arbitrary SQL commands via the callref parameter.
22-01-2014 - 14:15 21-01-2014 - 11:06
CVE-2012-6626 7.5
SQL injection vulnerability in verify-user.php in b2ePMS 1.0 allows remote attackers to execute arbitrary SQL commands via the username field.
17-01-2014 - 13:28 16-01-2014 - 16:55
CVE-2013-6883 6.8
Cross-site request forgery (CSRF) vulnerability in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to hijack the authentication of administrators for requests that modify the disk erase technique settings via u
13-01-2014 - 23:29 17-12-2013 - 11:08
CVE-2013-6882 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenti
13-01-2014 - 23:29 17-12-2013 - 11:08
CVE-2013-6341 7.5
SQL injection vulnerability in Dokeos 2.2 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the language parameter to index.php.
27-12-2013 - 13:57 05-12-2013 - 13:55
CVE-2013-6787 6.0
SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo LMS 1.9.6 and earlier, when using the non-encrypted passwords mode set at installation, allows remote authenticated users to execute arbitrary SQL com
27-12-2013 - 12:40 05-12-2013 - 13:55
CVE-2013-7194 3.5
Multiple cross-site scripting (XSS) vulnerabilities in www/administrator.php in eFront 3.6.14 (build 18012) allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Last name, (2) Lesson name, or (3) Course name fi
23-12-2013 - 12:04 20-12-2013 - 19:55
CVE-2013-7187 7.5
SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
23-12-2013 - 09:59 20-12-2013 - 18:55
CVE-2012-6081 6.0
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary cod
13-12-2013 - 00:08 02-01-2013 - 20:55
CVE-2009-4140 7.5
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_global
12-12-2013 - 23:32 22-12-2009 - 17:30
CVE-2013-6618 9.0
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3, and 12.3 before 12.3R1 allows remote authenticated users to execute arbitrary commands via the rsargs parameter in an exec action
08-12-2013 - 01:07 05-11-2013 - 15:55
CVE-2013-5576 6.8
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous
30-11-2013 - 23:31 09-10-2013 - 10:54
CVE-2013-6793 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allow remote attackers to inject arbitrary web script or HTML via the (1) event name or (2) date field.
21-11-2013 - 12:57 14-11-2013 - 15:55
CVE-2013-6794 4.3
Cross-site scripting (XSS) vulnerability in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allows remote attackers to inject arbitrary web script or HTML via the Location field. NOTE: the provenance of this information is unknown; the details ar
21-11-2013 - 12:55 14-11-2013 - 15:55
CVE-2013-5977 6.8
Cross-site request forgery (CSRF) vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that (1) create or modify products or con
20-11-2013 - 12:48 01-11-2013 - 11:55
CVE-2013-3238 6.0
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" featu
18-11-2013 - 23:48 25-04-2013 - 23:34
CVE-2011-5267 4.3
Multiple cross-site scripting (XSS) vulnerabilities in spell-check-savedicts.php in the SpellChecker module in Xinha, as used in WikiWig 5.01 and possibly other products, allow remote attackers to inject arbitrary web script or HTML via the (1) to_p_
07-11-2013 - 14:43 05-11-2013 - 13:55
CVE-2013-5694 7.5
SQL injection vulnerability in status/service/acknowledge in Opsview before 4.4.1 allows remote attackers to execute arbitrary SQL commands via the service_selection parameter.
06-11-2013 - 20:03 05-11-2013 - 15:55
CVE-2013-3535 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 and 1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_email, (2) header_title, (3) site_title parameter to admin/settings; (4) recaptcha_private
02-11-2013 - 23:33 13-05-2013 - 19:55
CVE-2011-4106 6.8
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it v
28-10-2013 - 11:15 26-10-2013 - 12:55
CVE-2013-5961 6.8
Unrestricted file upload vulnerability in lazyseo.php in the Lazy SEO plugin 1.1.9 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in lazy-seo/.
11-10-2013 - 11:08 30-09-2013 - 18:55
CVE-2013-5693 4.3
Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.
11-10-2013 - 09:33 30-09-2013 - 18:55
CVE-2013-5962 5.1
Unrestricted file upload vulnerability in frames/upload-images.php in the Complete Gallery Manager plugin before 3.3.4 rev40279 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then acc
10-10-2013 - 13:40 30-09-2013 - 18:55
CVE-2013-5091 6.5
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a
07-10-2013 - 14:58 04-10-2013 - 16:55
CVE-2013-5317 3.5
Cross-site scripting (XSS) vulnerability in RiteCMS 1.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the mode parameter to cms/index.php.
07-10-2013 - 14:36 20-08-2013 - 10:55
CVE-2013-5316 6.8
Cross-site request forgery (CSRF) vulnerability in RiteCMS 1.0.0 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via an edit user action to cms/index.php.
07-10-2013 - 14:34 20-08-2013 - 10:55
CVE-2011-5130 6.8
dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the argv[1] parameter.
07-10-2013 - 14:12 30-08-2012 - 18:55
CVE-2013-1468 7.6
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
03-10-2013 - 14:49 13-03-2013 - 23:13
CVE-2012-1059 4.3
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, as demonstrated
03-10-2013 - 14:26 13-02-2012 - 19:55
CVE-2013-5692 8.5
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
01-10-2013 - 16:01 30-09-2013 - 18:55
CVE-2013-5318 7.5
SQL injection vulnerability in Ginkgo CMS 5.0 allows remote attackers to execute arbitrary SQL commands via the rang parameter to index.php.
27-09-2013 - 23:40 20-08-2013 - 10:55
CVE-2010-1491 5.0
Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
13-09-2013 - 02:31 23-04-2010 - 10:30
CVE-2011-5147 5.0
Static code injection vulnerability in ajax_save_name.php in the Ajax File Manager module in the tinymce plugin in FreeWebshop 2.2.9 R2 and earlier allows remote attackers to inject arbitrary PHP code into data.php via the selected document, as demon
12-09-2013 - 02:24 31-08-2012 - 17:55
CVE-2010-1049 7.5
Multiple SQL injection vulnerabilities in Uiga Business Portal allow remote attackers to execute arbitrary SQL commands via the (1) noentryid parameter to blog/index.php and the (2) p parameter to index2.php.
12-09-2013 - 02:08 22-03-2010 - 21:00
CVE-2013-5672 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save
11-09-2013 - 20:09 10-09-2013 - 15:55
CVE-2013-5673 7.5
SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testimonial_add action to wp-admin/admin-ajax.php.
11-09-2013 - 10:50 10-09-2013 - 15:55
CVE-2011-5168 7.5
SQL injection vulnerability in user.php in Banana Dance before B.1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
11-09-2013 - 02:22 15-09-2012 - 13:55
CVE-2009-2334 4.9
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensit
10-09-2013 - 02:00 10-07-2009 - 17:00
CVE-2010-4993 7.5
SQL injection vulnerability in the eventcal (com_eventcal) component 1.6.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
09-09-2013 - 02:06 01-11-2011 - 18:55
CVE-2010-1354 5.0
Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from
09-09-2013 - 01:58 12-04-2010 - 14:30
CVE-2007-3430 7.5
SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 allows remote attackers to execute arbitrary SQL commands via the submit parameter in an email action.
09-09-2013 - 01:21 26-06-2007 - 20:30
CVE-2012-5231 7.5
miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variable containing an executable extension, which is not properly handled by (a) update.php when writing files to content/, or (b) updat
08-09-2013 - 02:18 01-10-2012 - 16:55
CVE-2010-0985 7.5
Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of the
08-09-2013 - 01:55 16-03-2010 - 15:30
CVE-2008-6649 7.5
SQL injection vulnerability in manager/image_details_editor.php in Ktools PhotoStore 2.5, 2.9.8, 3.1.0, and other versions through 3.5.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
08-09-2013 - 01:43 07-04-2009 - 10:17
CVE-2010-5012 7.5
SQL injection vulnerability in new.php in DaLogin 2.2 and 2.2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.
05-09-2013 - 11:48 02-11-2011 - 17:55
CVE-2012-1901 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in FlexCMS 3.2.1 and earlier allow remote attackers to (1) hijack the authentication of users for requests that change account settings via a request to index.php/profile-edit-save or (2) hij
05-09-2013 - 02:23 18-09-2012 - 14:55
CVE-2010-4849 7.5
SQL injection vulnerability in countrydetails.php in Alibaba Clone B2B 3.4 allows remote attackers to execute arbitrary SQL commands via the es_id parameter.
04-09-2013 - 02:11 27-09-2011 - 06:55
CVE-2007-6088 9.3
PHP remote file inclusion vulnerability in includes/functions_mod_user.php in phpBBViet 02.03.07 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
04-09-2013 - 01:32 21-11-2007 - 19:46
CVE-2010-3490 6.5
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the use
03-09-2013 - 02:15 28-09-2010 - 14:00
CVE-2007-1428 7.5
SQL injection vulnerability in search.php in PHP Labs JobSitePro 1.0 allows remote attackers to execute arbitrary SQL commands via the salary parameter.
01-09-2013 - 01:27 12-03-2007 - 21:19
CVE-2010-4330 6.8
Directory traversal vulnerability in includes/controller.php in Pulse CMS Basic before 1.2.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter to index.php.
31-08-2013 - 02:17 07-12-2010 - 08:53
CVE-2010-4333 7.5
Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.
30-08-2013 - 02:16 21-12-2010 - 22:00
CVE-2006-0147 7.5
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (
30-08-2013 - 00:52 09-01-2006 - 18:03
CVE-2010-4940 7.5
SQL injection vulnerability in index.php in WAnewsletter 2.1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
29-08-2013 - 02:26 09-10-2011 - 06:55
CVE-2010-5020 7.5
SQL injection vulnerability in index.php in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
28-08-2013 - 02:31 02-11-2011 - 17:55
CVE-2010-1713 7.5
SQL injection vulnerability in modules.php in PostNuke 0.764 allows remote attackers to execute arbitrary SQL commands via the sid parameter in a News article modload action.
28-08-2013 - 02:20 04-05-2010 - 12:00
CVE-2009-4713 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Qas (aka Quas) module for XOOPS Celepar allow remote attackers to inject arbitrary web script or HTML via (1) the cod_categoria parameter to categoria.php, (2) the opcao parameter to index.ph
28-08-2013 - 02:15 15-03-2010 - 17:30
CVE-2009-4456 7.5
SQL injection vulnerability in news_detail.php in Green Desktiny 2.3.1, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the id parameter.
28-08-2013 - 02:14 29-12-2009 - 19:30
CVE-2012-6584 7.5
Multiple SQL injection vulnerabilities in MYRE Realty Manager allow remote attackers to execute arbitrary SQL commands via the bathrooms1 parameter to (1) demo2/search.php or (2) search.php.
27-08-2013 - 10:13 24-08-2013 - 23:27
CVE-2012-6586 7.5
Multiple SQL injection vulnerabilities in MYRE Vacation Rental Software allow remote attackers to execute arbitrary SQL commands via the (1) garage1 or (2) bathrooms1 parameter to vacation/1_mobile/search.php, or (3) unspecified input to vacation/wid
27-08-2013 - 10:01 24-08-2013 - 23:27
CVE-2012-6587 4.3
Cross-site scripting (XSS) vulnerability in vacation/1_mobile/alert_members.php in MYRE Vacation Rental Software allows remote attackers to inject arbitrary web script or HTML via the link_idd parameter in a login action.
27-08-2013 - 09:46 24-08-2013 - 23:27
CVE-2012-6588 7.5
SQL injection vulnerability in links.php in MYRE Business Directory allows remote attackers to execute arbitrary SQL commands via the cat parameter.
27-08-2013 - 09:27 24-08-2013 - 23:27
CVE-2012-2923 7.5
SQL injection vulnerability in news.php4 in Hypermethod eLearning Server 4G allows remote attackers to execute arbitrary SQL commands via the nid parameter.
27-08-2013 - 03:10 21-05-2012 - 18:55
CVE-2008-6749 6.8
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checkuser and (2) checkpass parameters.
27-08-2013 - 02:14 24-04-2009 - 10:30
CVE-2012-6589 4.3
Cross-site scripting (XSS) vulnerability in search.php in MYRE Business Directory allows remote attackers to inject arbitrary web script or HTML via the look parameter.
26-08-2013 - 13:32 24-08-2013 - 23:27
CVE-2012-6585 4.3
Cross-site scripting (XSS) vulnerability in search.php in MYRE Realty Manager allows remote attackers to inject arbitrary web script or HTML via the cat_id1 parameter.
26-08-2013 - 11:20 24-08-2013 - 23:27
CVE-2007-6655 7.5
PHP remote file inclusion vulnerability in includes/function.php in Kontakt Formular 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter.
26-08-2013 - 01:35 04-01-2008 - 06:46
CVE-2010-0759 7.5
Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via d
24-08-2013 - 02:12 26-02-2010 - 19:30
CVE-2007-4603 7.5
Multiple SQL injection vulnerabilities in index.php in ACG News 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the aid parameter in a showarticle action or (2) the catid parameter in a showcat action.
24-08-2013 - 01:35 30-08-2007 - 20:17
CVE-2009-4817 6.8
Unrestricted file upload vulnerability in Element-IT Ultimate Uploader 1.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/.
22-08-2013 - 02:17 27-04-2010 - 11:30
CVE-2010-0288 7.5
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the
21-08-2013 - 23:27 15-02-2010 - 13:30
CVE-2010-0287 5.0
Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter.
21-08-2013 - 23:27 15-02-2010 - 13:30
CVE-2013-5321 7.5
Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.1 allow remote attackers to execute arbitrary SQL commands via the (1) sensor parameter in a Query action to forensics/base_qry_main.php; the (
21-08-2013 - 10:08 20-08-2013 - 10:56
CVE-2010-0696 5.0
Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
21-08-2013 - 02:18 23-02-2010 - 13:30
CVE-2013-5312 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Vastal I-Tech phpVID 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to browse_videos.php or the (2) cat parameter to groups.php.
20-08-2013 - 09:17 19-08-2013 - 17:10
CVE-2013-5311 7.5
Multiple SQL injection vulnerabilities in Vastal I-Tech phpVID 1.2.3 allow remote attackers to execute arbitrary SQL commands via the "n" parameter to (1) browse_videos.php or (2) members.php. NOTE: the cat parameter is already covered by CVE-2008-4
20-08-2013 - 09:15 19-08-2013 - 17:10
CVE-2012-5388 3.5
Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action t
19-08-2013 - 23:18 24-10-2012 - 13:55
CVE-2012-5387 6.8
Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wl
19-08-2013 - 23:18 24-10-2012 - 13:55
CVE-2010-1341 7.5
SQL injection vulnerability in index.php in Systemsoftware Community Black Forum allows remote attackers to execute arbitrary SQL commands via the s_flaeche parameter.
19-08-2013 - 12:27 09-04-2010 - 14:30
CVE-2010-3313 7.5
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows
18-08-2013 - 02:14 22-09-2010 - 15:00
CVE-2010-0756 5.8
Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote attackers to hijack web sessions by setting the jsessionid parameter to (1) index.php/Comment/Main, (2) index.php/Comment/Main/Home_Wiky, or (3) index.php/Edit/Main.
18-08-2013 - 02:09 26-02-2010 - 19:30
CVE-2007-1815 7.5
SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.
18-08-2013 - 01:25 02-04-2007 - 19:19
CVE-2012-5315 4.3
Multiple cross-site scripting (XSS) vulnerabilities in php ireport 1.0 allow remote attackers to inject arbitrary web script or HTML via the message parameter to (1) messages_viewer.php, (2) home.php, or (3) history.php.
17-08-2013 - 02:50 08-10-2012 - 13:55
CVE-2006-7247 7.5
SQL injection vulnerability in the Weblinks (com_weblinks) component for Joomla! and Mambo 1.0.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
16-08-2013 - 01:46 06-09-2012 - 15:55
CVE-2013-5099 2.6
Cross-site scripting (XSS) vulnerability in article.php in Anchor CMS 0.9.1, when comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Name field. NOTE: some sources have reported that comments.php is vulnerab
14-08-2013 - 14:05 09-08-2013 - 17:55
CVE-2013-5121 7.5
SQL injection vulnerability in PHPFox before 3.6.0 (build6) allows remote attackers to execute arbitrary SQL commands via the search[sort_by] parameter to user/browse/view_/.
14-08-2013 - 13:52 14-08-2013 - 11:55
CVE-2013-5120 7.5
SQL injection vulnerability in PHPFox before 3.6.0 (build4) allows remote attackers to execute arbitrary SQL commands via the search[gender] parameter to user/browse/view_/.
14-08-2013 - 13:31 14-08-2013 - 11:55
CVE-2010-1058 6.8
Directory traversal vulnerability in codelib/cfg/common.inc.php in Phpkobo Address Book Script 1.09, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the LANG_CODE parameter
14-08-2013 - 02:11 23-03-2010 - 13:30
CVE-2007-6459 6.8
Anon Proxy Server 0.100, and probably 0.101, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the host parameter to diagdns.php, and (2) the host parameter and possibly (3) the port parameter to diagconnect.php, a
14-08-2013 - 01:37 19-12-2007 - 19:46
CVE-2011-0503 6.8
Cross-site request forgery (CSRF) vulnerability in VaM Shop 1.6, 1.6.1, and probably earlier versions allows remote attackers to hijack the authentication of administrators for requests that (1) change user status via admin/customers.php or (2) chang
13-08-2013 - 12:59 20-01-2011 - 14:00
CVE-2010-5284 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Collabtive 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) User parameter in the edit user profile feature to manageuser.php, (2) y parameter in a newcal action to
13-08-2013 - 12:58 26-11-2012 - 18:55
CVE-2009-4574 7.5
SQL injection vulnerability in country_escorts.php in I-Escorts Directory Script allows remote attackers to execute arbitrary SQL commands via the country_id parameter.
13-08-2013 - 12:46 06-01-2010 - 17:00
CVE-2009-2180 5.0
Multiple directory traversal vulnerabilities in upfiles/index.php in Pc4 Uploader 10.0 and earlier allow remote attackers to read arbitrary files via (1) a .. (dot dot) or (2) absolute path in the file parameter.
07-08-2013 - 02:11 23-06-2009 - 17:30
CVE-2007-4809 7.5
Multiple PHP remote file inclusion vulnerabilities in Online Fantasy Football League (OFFL) 0.2.6 allow remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter to (1) lib/functions.php or (2) lib/header.php.
07-08-2013 - 01:39 11-09-2007 - 14:17
CVE-2013-2690 7.5
SQL injection vulnerability in index.php in Synchroweb Technology SynConnect 2.0 allows remote attackers to execute arbitrary SQL commands via the loginid parameter in a logoff action.
06-08-2013 - 17:47 28-03-2013 - 19:55
CVE-2011-0903 6.8
Multiple directory traversal vulnerabilities in AR Web Content Manager (AWCM) 2.2 allow remote attackers to read arbitrary files and possibly have other unspecified impact via a .. (dot dot) in the (1) awcm_theme or (2) awcm_lang cookie to (a) index.
06-08-2013 - 17:27 07-02-2011 - 16:00
CVE-2009-3314 7.5
SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 allows remote attackers to execute arbitrary SQL commands via the platform parameter.
06-08-2013 - 17:10 23-09-2009 - 08:08
CVE-2007-3812 7.5
SQL injection vulnerability in forums.php in CMScout 1.23 and earlier allows remote attackers to execute arbitrary SQL commands via the f parameter in a forums action to index.php.
03-08-2013 - 02:23 16-07-2007 - 20:30
CVE-2010-1350 7.5
SQL injection vulnerability in the JP Jobs (com_jp_jobs) component 1.4.1 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
02-08-2013 - 02:32 12-04-2010 - 14:30
CVE-2011-4813 5.0
Directory traversal vulnerability in clientarea.php in WHMCompleteSolution (WHMCS) 3.x.x allows remote attackers to read arbitrary files via an invalid action and a ../ (dot dot slash) in the templatefile parameter.
31-07-2013 - 02:24 13-12-2011 - 19:55
CVE-2007-0571 7.5
PHP remote file inclusion vulnerability in include/lib/lib_head.php in phpMyReports 3.0.11 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cfgPathModule parameter.
31-07-2013 - 01:18 30-01-2007 - 12:28
CVE-2012-4399 5.0
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
30-07-2013 - 02:28 09-10-2012 - 19:55
CVE-2010-1336 7.5
Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) newlanguage parameters to site.php, (3) search parameter to manuals.php, and (4) unspecified vectors to faq.php. N
30-07-2013 - 02:05 09-04-2010 - 14:30
CVE-2013-4953 7.5
SQL injection vulnerability in play.php in Top Games Script 1.2 allows remote attackers to execute arbitrary SQL commands via the gid parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4952 7.5
SQL injection vulnerability in functions/global.php in Elemata CMS RC 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4950 4.3
Cross-site scripting (XSS) vulnerability in view.php in Machform 2 allows remote attackers to inject arbitrary web script or HTML via the element_2 parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4949 6.8
Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4948 7.5
SQL injection vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary SQL commands via the element_2 parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-3515 4.3
Multiple cross-site scripting (XSS) vulnerabilities in OpenX Source 2.8.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) package parameter to www/admin/plugin-index.php or the (2) group parameter to www/admin/p
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2010-3456 5.0
Directory traversal vulnerability in download.php in EnergyScripts (ES) Simple Download 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
29-07-2013 - 12:31 17-09-2010 - 16:00
CVE-2010-2697 3.5
Cross-site scripting (XSS) vulnerability in Sijio Community Software allows remote authenticated users to inject arbitrary web script or HTML via the title parameter when adding a new blog, related to edit_blog/index.php. NOTE: some of these details
29-07-2013 - 12:29 12-07-2010 - 13:30
CVE-2010-4275 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Radius Manager 3.8.0 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) name or (2) descr parameter in an (a) update_usergroup or a (b) store_nas action
27-07-2013 - 02:18 21-12-2010 - 22:00
CVE-2007-6396 7.5
Direct static code injection vulnerability in index.php in Flat PHP Board 1.2 and earlier allows remote attackers to inject arbitrary PHP code via the (1) username, (2) password, and (3) email parameters when registering a user account, which can be
27-07-2013 - 01:38 17-12-2007 - 13:46
CVE-2010-3205 7.5
PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.
26-07-2013 - 02:27 03-09-2010 - 14:00
CVE-2010-4862 7.5
SQL injection vulnerability in the JExtensions JE Directory (com_jedirectory) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in an item action to index.php.
25-07-2013 - 12:28 05-10-2011 - 06:55
CVE-2010-1217 4.3
Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NO
23-07-2013 - 04:57 30-03-2010 - 19:30
CVE-2010-4795 7.5
SQL injection vulnerability in the JS Calendar (com_jscalendar) component 1.5.1 and 1.5.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the ev_id parameter in a details action to index.php. NOTE: some of these details are
21-07-2013 - 03:03 26-04-2011 - 20:55
CVE-2007-6368 5.0
Directory traversal vulnerability in index.php in ezContents 1.4.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the link parameter.
21-07-2013 - 02:27 14-12-2007 - 20:46
CVE-2010-1534 5.0
Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
18-07-2013 - 11:10 26-04-2010 - 14:30
CVE-2010-0722 7.5
SQL injection vulnerability in news.php in Php Auktion Pro allows remote attackers to execute arbitrary SQL commands via the id parameter.
18-07-2013 - 11:08 26-02-2010 - 15:30
CVE-2010-4280 7.5
Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter i
17-07-2013 - 02:21 02-12-2010 - 12:15
CVE-2010-0467 5.0
Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
17-07-2013 - 02:13 02-02-2010 - 12:30
CVE-2012-4265 7.5
SQL injection vulnerability in category_edit.php in Proman Xpress 5.0.1 allows remote attackers to execute arbitrary SQL commands via the cid parameter.
14-07-2013 - 02:25 13-08-2012 - 18:55
CVE-2008-4885 7.5
SQL injection vulnerability in tr1.php in YourFreeWorld Scrolling Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
11-07-2013 - 01:45 03-11-2008 - 19:57
CVE-2012-1613 3.5
Cross-site scripting (XSS) vulnerability in edit_one_pic.php in Coppermine Photo Gallery before 1.5.20 allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the keywords parameter.
04-07-2013 - 03:30 04-09-2012 - 16:55
CVE-2010-5027 4.3
Cross-site scripting (XSS) vulnerability in winners.php in Science Fair In A Box (SFIAB) 2.0.6 and 2.2.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter. NOTE: some of these details are obtained from third party
04-07-2013 - 03:14 02-11-2011 - 17:55
CVE-2010-1721 7.5
SQL injection vulnerability in the Intellectual Property (aka IProperty or com_iproperty) component 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an agentproperties action to index.php.
04-07-2013 - 03:05 04-05-2010 - 12:00
CVE-2012-6559 4.3
Multiple cross-site scripting (XSS) vulnerabilities in FreeNAC 3.02 allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) mac, (3) graphtype, (4) name, or (5) type parameter to stats.php; or (6) comment parameter to d
03-06-2013 - 00:00 23-05-2013 - 11:55
CVE-2013-3721 7.5
SQL injection vulnerability in awards.php in PsychoStats 3.2.2b allows remote attackers to execute arbitrary SQL commands via the d parameter.
31-05-2013 - 00:00 31-05-2013 - 08:20
CVE-2008-6422 7.5
Multiple SQL injection vulnerabilities in PsychoStats 2.3, 2.3.1, and 2.3.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) weapon.php and (2) map.php.
31-05-2013 - 00:00 06-03-2009 - 13:30
CVE-2012-2924 7.5
PHP remote file inclusion vulnerability in admin/setup.inc.php in Hypermethod eLearning Server 4G allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.
24-05-2013 - 23:11 21-05-2012 - 18:55
CVE-2012-2905 5.0
Artiphp CMS 5.5.0 Neo (r422) stores database backups with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request.
24-05-2013 - 23:11 21-05-2012 - 14:55
CVE-2012-6560 7.5
SQL injection vulnerability in deviceadd.php in FreeNAC 3.02 allows remote attackers to execute arbitrary SQL commands via the status parameter.
24-05-2013 - 09:32 23-05-2013 - 11:55
CVE-2012-6556 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) User/FirstName or (2) User/LastName parameter to the edit user page.
24-05-2013 - 09:24 23-05-2013 - 11:55
CVE-2012-6554 6.5
functions/html_to_text.php in the Chat module before 1.5.2 for activeCollab allows remote authenticated users to execute arbitrary PHP code via the message[message_text] parameter to chat/add_messag, which is not properly handled when executing the p
24-05-2013 - 08:51 23-05-2013 - 11:55
CVE-2012-6555 4.3
Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title.
24-05-2013 - 08:44 23-05-2013 - 11:55
CVE-2012-6557 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) AboutMe/RealName, (2) AboutMe/Name, (3) AboutMe/Quote, (4) AboutMe/Loc, (5) A
24-05-2013 - 00:00 23-05-2013 - 11:55
CVE-2013-3536 7.5
SQL injection vulnerability in the gp_LoadUserFromHash function in functions_hash.php in the Group Pay module 1.5 and earlier for WHMCS allows remote attackers to execute arbitrary SQL commands via the hash parameter.
14-05-2013 - 10:48 13-05-2013 - 19:55
CVE-2013-3529 4.3
Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-messag
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-3527 7.5
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-3524 7.5
SQL injection vulnerability in popupnewsitem/ in the Pop Up News module 2.0 and possibly earlier for phpVMS allows remote attackers to execute arbitrary SQL commands via the itemid parameter. NOTE: this was originally reported as a problem in phpVMS
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-3522 6.5
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-1748 7.5
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) edit.php or (2) import.php. NOTE: the view.php id vector is already covered by CVE-2008-2565.
18-04-2013 - 12:19 18-04-2013 - 07:33
CVE-2013-3050 7.5
SQL injection vulnerability in ZAPms 1.41 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter to product.
15-04-2013 - 00:00 12-04-2013 - 18:55
CVE-2013-1465 7.5
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using
26-03-2013 - 00:00 08-02-2013 - 15:55
CVE-2012-4178 7.5
SQL injection vulnerability in spywall/includes/deptUploads_data.php in Symantec Web Gateway 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via the groupid parameter.
25-03-2013 - 23:38 07-08-2012 - 18:55
CVE-2012-3435 7.5
SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.
21-03-2013 - 23:11 15-08-2012 - 16:55
CVE-2013-1469 4.0
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
19-03-2013 - 00:00 13-03-2013 - 16:55
CVE-2011-5212 7.5
SQL injection vulnerability in admin/index.php in Subrion CMS 2.0.4 allows remote attackers to execute arbitrary SQL commands via the (1) user name or (2) password field.
13-02-2013 - 23:47 22-10-2012 - 19:55
CVE-2011-5257 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Classipress theme before 3.1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) twitter_id parameter related to the Twitter widget and (2) facebook_id p
13-02-2013 - 00:00 12-02-2013 - 15:55
CVE-2012-5864 10.0
The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authenti
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-5863 10.0
ping.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allows remote attackers to execute arbi
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-5862 10.0
login.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 establishes multiple hardcoded account
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-5861 7.5
Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allow rem
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-3448 7.5
Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.
02-02-2013 - 00:05 06-08-2012 - 14:55
CVE-2012-6523 4.3
Multiple cross-site scripting (XSS) vulnerabilities in w-CMS 2.01 allow remote attackers to inject arbitrary web script or HTML via (1) the p parameter in the getMenus function in codes/wcms.php; or the COMMENT parameter in (2) blog.php, (3) guestboo
31-01-2013 - 23:53 31-01-2013 - 00:44
CVE-2010-5287 7.5
SQL injection vulnerability in default.php in Cornerstone Technologies webConductor allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 08:48 31-01-2013 - 00:43
CVE-2012-6525 7.5
SQL injection vulnerability in members.php in PHPBridges allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 00:00 31-01-2013 - 00:44
CVE-2012-6524 7.5
SQL injection vulnerability in kommentar.php in pGB 2.12 allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 00:00 31-01-2013 - 00:44
CVE-2012-6522 5.0
Directory traversal vulnerability in the getContent function in codes/wcms.php in w-CMS 2.01 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. NOTE: some of these details are obtained from third party information
31-01-2013 - 00:00 31-01-2013 - 00:44
CVE-2012-5334 7.5
SQL injection vulnerability in product_desc.php in Pre Printing Press allows remote attackers to execute arbitrary SQL commands via the pid parameter.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5333 7.5
SQL injection vulnerability in page.php in Pre Printing Press allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5331 6.8
Directory traversal vulnerability in asaanCart 0.9 allows remote attackers to include arbitrary local files via a .. (dot dot) in the page parameter to index.php.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5330 4.3
Multiple cross-site scripting (XSS) vulnerabilities in asaanCart 0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to calc.php, (2) chat.php, (3) register.php, or (4) index.php in libs/smarty_ajax/; or the (5) pa
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-1671 6.8
Directory traversal vulnerability in index.php in phpPaleo 4.8b155 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5349 2.6
Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the Pay With Tweet plugin before 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) title, or (3) dl parameter.
30-01-2013 - 00:00 09-10-2012 - 11:55
CVE-2012-1125 6.8
Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin before 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a PHP extension, then accessing it via a di
29-01-2013 - 23:48 08-10-2012 - 13:55
CVE-2012-6519 7.5
SQL injection vulnerability in modules/poll/index.php in DIY-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the start parameter to mod.php.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6518 6.8
Cross-site request forgery (CSRF) vulnerability in mod.php in DiY-CMS 1.0 allows remote attackers to hijack the authentication of administrators for requests that create a poll via an add action to the poll module.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6517 4.3
Multiple cross-site scripting (XSS) vulnerabilities in DiY-CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) question parameter to in /modules/poll/add.php or (2) question or (3) answer parameter to modules/poll/edit.p
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6516 7.5
SQL injection vulnerability in PHP Ticket System Beta 1 allows remote attackers to execute arbitrary SQL commands via the q parameter to index.php.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6505 4.3
Cross-site scripting (XSS) vulnerability in mods/hours/data/get_hours.php in PHP Volunteer Management 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6504 7.5
SQL injection vulnerability in mods/hours/data/get_hours.php in PHP Volunteer Management 1.0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2008-3498 7.5
SQL injection vulnerability in the nBill (com_netinvoice) component 1.2.0 SP1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in an orders action to index.php. NOTE: some of these details are obtained from
24-01-2013 - 00:00 06-08-2008 - 14:41
CVE-2012-6500 5.0
Directory traversal vulnerability in download.lib.php in Pragyan CMS 3.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the fileget parameter in a profile action to index.php.
23-01-2013 - 00:00 11-01-2013 - 23:33
CVE-2009-1480 7.5
SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors.
23-01-2013 - 00:00 29-04-2009 - 14:30
CVE-2012-5874 7.5
Multiple SQL injection vulnerabilities in the (1) update_whosonline_reg and (2) update_whosonline_guest functions in Elite Bulletin Board before 2.1.22 allow remote attackers to execute arbitrary SQL commands via the PATH_INFO to (a) checkuser.php, (
21-01-2013 - 00:00 11-01-2013 - 23:33
CVE-2012-5900 7.5
Multiple SQL injection vulnerabilities in SAMEDIA LandShop 0.9.2 allow remote attackers to execute arbitrary SQL commands via the (1) OB_ID parameter in a single action to admin/action/objects.php, (2) AREA_ID parameter in a single action to admin/ac
15-01-2013 - 00:00 17-11-2012 - 16:55
CVE-2012-5899 4.3
Cross-site scripting (XSS) vulnerability in admin/action/objects.php in SAMEDIA LandShop 0.9.2 allows remote attackers to inject arbitrary web script or HTML via the OTR_HEADS[] parameter in an edit action. NOTE: some of these details are obtained fr
15-01-2013 - 00:00 17-11-2012 - 16:55
CVE-2012-5891 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in photo/pass.php in DAlbum 1.44 build 174 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an add action, (2) change use
15-01-2013 - 00:00 17-11-2012 - 16:55
CVE-2012-6499 5.8
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.
14-01-2013 - 00:00 11-01-2013 - 23:33
CVE-2012-6495 6.0
Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files
07-01-2013 - 00:00 02-01-2013 - 20:55
CVE-2012-6434 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) do
07-01-2013 - 00:00 03-01-2013 - 06:54
CVE-2012-6433 6.8
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.
07-01-2013 - 00:00 03-01-2013 - 06:54
CVE-2012-1153 6.8
Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to th
03-01-2013 - 23:36 06-10-2012 - 17:55
CVE-2009-1049 7.5
SQL injection vulnerability in articleCall.php in Bloginator 1A allows remote attackers to execute arbitrary SQL commands via the id parameter.
03-01-2013 - 00:00 24-03-2009 - 10:30
CVE-2006-1978 7.5
SQL injection vulnerability in inc/start.php in FlexBB 0.5.5 and earlier allows remote attackers to execute arbitrary SQL commands via the flexbb_username COOKIE parameter.
03-01-2013 - 00:00 21-04-2006 - 18:02
CVE-2011-5186 4.3
Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.
20-12-2012 - 00:00 20-09-2012 - 06:55
CVE-2012-2209 4.3
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the langua
18-12-2012 - 23:52 14-08-2012 - 18:55
CVE-2012-2208 7.5
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
18-12-2012 - 23:52 14-08-2012 - 18:55
CVE-2011-5183 7.5
Multiple SQL injection vulnerabilities in OrderSys 1.6.4 and earlier allow remote attackers to execute arbitrary SQL commands via the where_clause parameter to (1) index.php, (2) index_long.php, or (3) index_short.php in ordering/interface_creator/.
17-12-2012 - 00:00 20-09-2012 - 06:55
CVE-2006-4531 7.5
PHP remote file inclusion vulnerability in lib/config.php in Pheap CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the lpref parameter.
12-12-2012 - 22:02 01-09-2006 - 19:04
CVE-2010-5285 6.8
Cross-site request forgery (CSRF) vulnerability in admin.php in Collabtive 0.6.5 allows remote attackers to hijack the authentication of administrators for requests that add administrative users via the edituser action.
28-11-2012 - 23:27 26-11-2012 - 18:55
CVE-2012-6047 6.8
Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to ind
27-11-2012 - 00:00 26-11-2012 - 23:49
CVE-2012-6039 7.5
SQL injection vulnerability in view_comments.php in YABSoft Advanced Image Hosting (AIH) Script, possibly 2.3, allows remote attackers to execute arbitrary SQL commands via the gal parameter.
27-11-2012 - 00:00 26-11-2012 - 17:55
CVE-2012-6038 6.5
admin/core/admin_func.php in razorCMS before 1.2.1 does not properly restrict access to certain administrator directories and files, which allows remote authenticated users to read, edit, rename, move, copy and delete files via the (1) dir parameter
27-11-2012 - 00:00 26-11-2012 - 17:55
CVE-2010-5280 7.5
Directory traversal vulnerability in the Community Builder Enhanced (CBE) (com_cbe) component 1.4.8, 1.4.9, and 1.4.10 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tabname parameter in a u
27-11-2012 - 00:00 26-11-2012 - 18:55
CVE-2008-3128 5.0
Directory traversal vulnerability in search.php in Pivot 1.40.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the t parameter.
26-11-2012 - 22:48 10-07-2008 - 19:41
CVE-2012-1673 7.5
SQL injection vulnerability in loginscript.php in e-ticketing allows remote attackers to execute arbitrary SQL commands via the password parameter.
19-11-2012 - 23:43 11-04-2012 - 06:39
CVE-2012-1672 7.5
SQL injection vulnerability in getcity.php in Hotel Booking Portal 0.1 allows remote attackers to execute arbitrary SQL commands via the country parameter.
19-11-2012 - 23:43 11-04-2012 - 06:39
CVE-2012-5918 4.0
razorCMS 1.2 allows remote authenticated users to access administrator directories and files by creating and deleting a directory.
19-11-2012 - 10:51 19-11-2012 - 07:10
CVE-2012-5912 7.5
Multiple SQL injection vulnerabilities in PicoPublisher 2.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) page.php or (2) single.php.
19-11-2012 - 00:00 17-11-2012 - 16:55
CVE-2012-5898 6.8
Cross-site request forgery (CSRF) vulnerability in SAMEDIA LandShop 0.9.2 allows remote attackers to hijack the authentication of administrators for requests that change account settings.
19-11-2012 - 00:00 17-11-2012 - 16:55
CVE-2011-5211 4.3
Cross-site scripting (XSS) vulnerability in the poll module in Subrion CMS 2.0.4 allows remote attackers to inject arbitrary web script or HTML via the title field. NOTE: some of these details are obtained from third party information. NOTE: this m
15-11-2012 - 00:00 22-10-2012 - 19:55
CVE-2012-1900 6.8
Cross-site request forgery (CSRF) vulnerability in admin/index.php in RazorCMS 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary web pages via a showcats action.
08-11-2012 - 00:00 22-10-2012 - 19:55
CVE-2011-5228 4.3
Cross-site scripting (XSS) vulnerability in the Search module (quickstart/search) in appRain CMF 0.1.5 allows remote attackers to inject arbitrary web script or HTML via the ss parameter.
08-11-2012 - 00:00 25-10-2012 - 13:55
CVE-2012-1979 3.5
Cross-site scripting (XSS) vulnerability in starnet/index.php in SyndeoCMS 3.0.01 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the email parameter (aka Email address field) in an edit_user configuration act
06-11-2012 - 00:10 17-04-2012 - 14:55
CVE-2012-1670 5.0
admin/index.php in PHP Grade Book before 1.9.5 BETA allows remote attackers to read the database via a SaveSQL action.
06-11-2012 - 00:09 31-03-2012 - 10:55
CVE-2011-5026 4.3
Cross-site scripting (XSS) vulnerability in the addPost function in data/functions.php in Winn GuestBook before 2.4.8d allows remote attackers to inject arbitrary web script or HTML via the name parameter to index.php. NOTE: some of these details ar
06-11-2012 - 00:04 28-12-2011 - 23:15
CVE-2011-5230 7.5
Multiple SQL injection vulnerabilities in the selectUserIdByLoginPass function in seotoaster_core/application/models/LoginModel.php in Seotoaster 1.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to
06-11-2012 - 00:00 25-10-2012 - 13:55
CVE-2011-5229 7.5
SQL injection vulnerability in quickstart/profile/index.php in the Forum module in appRain CMF 0.1.5 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO.
06-11-2012 - 00:00 25-10-2012 - 13:55
CVE-2008-6132 6.8
Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.
05-11-2012 - 23:14 13-02-2009 - 13:30
CVE-2008-5063 10.0
PHP remote file inclusion vulnerability in Admin/ADM_Pagina.php in OTManager 2.4 allows remote attackers to execute arbitrary PHP code via a URL in the Tipo parameter.
05-11-2012 - 23:11 13-11-2008 - 06:30
CVE-2008-5053 10.0
PHP remote file inclusion vulnerability in admin.rssreader.php in the Simple RSS Reader (com_rssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
05-11-2012 - 23:11 13-11-2008 - 06:30
CVE-2008-3598 7.5
Multiple SQL injection vulnerabilities in psipuss 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the Cid parameter to categories.php or (2) the Username parameter to login.php.
05-11-2012 - 23:07 12-08-2008 - 15:41
CVE-2007-3808 7.5
SQL injection vulnerability in includes/search.php in paFileDB 3.6 allows remote attackers to execute arbitrary SQL commands via the categories[] parameter in a search action to index.php, a different vector than CVE-2005-2000.
05-11-2012 - 22:43 16-07-2007 - 20:30
CVE-2007-3632 6.8