Max CVSS 10.0 Min CVSS 1.9 Total Count5931
IDCVSSSummaryLast (major) updatePublished
CVE-2017-14087 5.0
A Host Header Injection vulnerability in Trend Micro OfficeScan XG (12.0) may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14086 7.8
Pre-authorization Start Remote Process vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to start the fcgiOfcDDA.exe executable or cause a potential INI corruption, which may ca
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14085 6.4
Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to query the network's NT domain or the PHP version and modules.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14083 5.0
A vulnerability in Trend Micro OfficeScan 11.0 and XG allows remote unauthenticated users who can access the system to download the OfficeScan encryption file.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-12617 None
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload
03-10-2017 - 21:29 03-10-2017 - 21:29
CVE-2017-6090 6.5
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to th
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-6089 7.5
SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14848 6.5
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14758 6.5
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulne
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14757 6.5
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In ord
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14942 7.5
Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie.
29-09-2017 - 21:29 29-09-2017 - 21:29
CVE-2017-14738 7.5
FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function).
29-09-2017 - 21:29 29-09-2017 - 21:29
CVE-2017-14620 4.3
SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site Scripting.
29-09-2017 - 21:29 29-09-2017 - 21:29
CVE-2017-14507 7.5
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_
28-09-2017 - 21:34 28-09-2017 - 21:34
CVE-2017-14847 6.5
Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14846 6.5
Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14845 6.5
Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14844 6.5
Mojoomla WPGYM WordPress Gym Management System allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14843 6.5
Mojoomla School Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14842 6.5
Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14841 4.0
Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14840 6.5
TeamWork TicketPlus allows Arbitrary File Upload in updateProfile.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14839 6.5
TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14838 6.5
TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14704 6.5
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, t
26-09-2017 - 10:29 26-09-2017 - 10:29
CVE-2017-14703 7.5
SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
26-09-2017 - 09:29 26-09-2017 - 09:29
CVE-2015-7293 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
25-09-2017 - 17:29 25-09-2017 - 17:29
CVE-2015-4669 7.2
The MySQL "root" user in Xsuite 2.3.0 and 2.4.3.0 does not have a password set, which allows local users to access databases on the system.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2015-4668 5.8
Open redirect vulnerability in Xsuite 2.3.0 and 2.4.3.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirurl parameter.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2015-4667 7.5
Multiple hardcoded credentials in Xsuite 2.3.0 and 2.4.3.0.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2017-14717 3.5
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
22-09-2017 - 15:29 22-09-2017 - 15:29
CVE-2017-14712 3.5
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
22-09-2017 - 15:29 22-09-2017 - 15:29
CVE-2017-14618 3.5
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
20-09-2017 - 17:29 20-09-2017 - 17:29
CVE-2015-7347 3.5
Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.
20-09-2017 - 14:29 20-09-2017 - 14:29
CVE-2015-2826 5.0
WordPress Simple Ads Manager plugin 2.5.94 and 2.5.96 allows remote attackers to obtain sensitive information.
20-09-2017 - 14:29 20-09-2017 - 14:29
CVE-2015-4075 6.8
The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4074 5.0
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4073 7.5
Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4072 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via vectors related to name and message.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2017-8770 7.8
There is LFD (local file disclosure) on BE126 WIFI repeater 1.0 devices that allows attackers to read the entire filesystem on the device via a crafted getpage parameter.
20-09-2017 - 10:29 20-09-2017 - 10:29
CVE-2015-4685 4.4
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users with access to the plcm account to gain privileges via a script in /var/polycom/cma/upgrade/scripts, related to a sudo misconfiguration.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4684 5.5
Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allow (1) remote authenticated users to read arbitrary files via a .. (dot dot) in the Modifier parameter to PlcmRmWeb/FileDownload; or remote
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4683 7.5
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4682 4.0
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows remote authenticated users to obtain the installation path via an HTTP POST request to PlcmRmWeb/JConfigManager.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4681 7.2
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2014-9619 6.5
Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9618 7.5
The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9611 7.5
Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9610 5.0
Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and remove IP addresses from the quarantine via the ip parameter to webadmin/user/quarantine_disable.php.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2017-12615 6.8
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP
19-09-2017 - 09:29 19-09-2017 - 09:29
CVE-2017-9798 5.0
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2
18-09-2017 - 11:29 18-09-2017 - 11:29
CVE-2017-14244 10.0
An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi a
17-09-2017 - 15:29 17-09-2017 - 15:29
CVE-2017-14243 10.0
An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload
17-09-2017 - 15:29 17-09-2017 - 15:29
CVE-2014-9463 9.0
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
15-09-2017 - 16:29 15-09-2017 - 16:29
CVE-2017-1002008 7.5
Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002003 7.5
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002002 7.5
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002001 7.5
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002000 7.5
Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-3133 4.3
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN.
11-09-2017 - 22:29 11-09-2017 - 22:29
CVE-2017-3132 4.3
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthorized code or commands via the action input during the activation of a FortiToken.
11-09-2017 - 22:29 11-09-2017 - 22:29
CVE-2017-3131 3.5
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to execute unauthorized code or commands via the filter input in "Applications" under FortiView.
11-09-2017 - 22:29 11-09-2017 - 22:29
CVE-2015-9227 6.5
PHP remote file inclusion vulnerability in the get_file function in upload/admin2/controller/report_logs.php in AlegroCart 1.2.8 allows remote administrators to execute arbitrary PHP code via a URL in the file_path parameter to upload/admin2.
11-09-2017 - 16:29 11-09-2017 - 16:29
CVE-2015-9226 6.5
Multiple SQL injection vulnerabilities in AlegroCart 1.2.8 allow remote administrators to execute arbitrary SQL commands via the download parameter in the (1) check_download and possibly (2) check_filename function in upload/admin2/model/products/mod
11-09-2017 - 16:29 11-09-2017 - 16:29
CVE-2015-8351 6.8
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captc
11-09-2017 - 16:29 11-09-2017 - 16:29
CVE-2017-14219 4.3
XSS (persistent) on the Intelbras Wireless N 150Mbps router with firmware WRN 240 allows attackers to steal wireless credentials without being connected to the network, related to userRpm/popupSiteSurveyRpm.htm and userRpm/WlanSecurityRpm.htm. The at
07-09-2017 - 18:29 07-09-2017 - 18:29
CVE-2015-3314 6.8
SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5.
07-09-2017 - 16:29 07-09-2017 - 16:29
CVE-2015-3313 7.5
SQL injection vulnerability in WordPress Community Events plugin before 1.4.
07-09-2017 - 16:29 07-09-2017 - 16:29
CVE-2017-9834 7.5
SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php.
07-09-2017 - 10:29 07-09-2017 - 10:29
CVE-2017-14147 7.5
An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing to the link http://[Default-Router-IP]/restoreinfo.cgi & execute
07-09-2017 - 10:29 07-09-2017 - 10:29
CVE-2017-13754 3.5
Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server name" field in actions/ChangeConfiguration.
07-09-2017 - 09:29 07-09-2017 - 09:29
CVE-2017-13713 6.5
T&W WIFI Repeater BE126 allows remote authenticated users to execute arbitrary code via shell metacharacters in the user parameter to cgi-bin/webupg.
07-09-2017 - 09:29 07-09-2017 - 09:29
CVE-2015-7241 7.5
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
06-09-2017 - 17:29 06-09-2017 - 17:29
CVE-2017-14126 4.3
The Participants Database plugin before 1.7.5.10 for WordPress has XSS.
04-09-2017 - 16:29 04-09-2017 - 16:29
CVE-2014-8677 3.5
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being u
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2014-8676 5.0
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2014-8675 5.0
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2017-9979 4.3
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker
28-08-2017 - 15:29 28-08-2017 - 15:29
CVE-2017-9978 5.0
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on
28-08-2017 - 15:29 28-08-2017 - 15:29
CVE-2017-9650 4.6
An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, S
25-08-2017 - 15:29 25-08-2017 - 15:29
CVE-2017-9640 6.5
A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC
25-08-2017 - 15:29 25-08-2017 - 15:29
CVE-2015-8352 10.0
Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.
24-08-2017 - 17:29 24-08-2017 - 17:29
CVE-2015-7259 9.0
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and pass
24-08-2017 - 16:29 24-08-2017 - 16:29
CVE-2015-7258 9.0
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain user passwords by displaying user information in a Telnet connection.
24-08-2017 - 16:29 24-08-2017 - 16:29
CVE-2015-7257 8.5
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from
24-08-2017 - 16:29 24-08-2017 - 16:29
CVE-2017-12971 4.3
Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the account parameter to phpsftpd/users.php.
23-08-2017 - 12:29 23-08-2017 - 12:29
CVE-2017-12970 6.8
Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack the authentication of authenticated users for requests that (1) add or (2) delete user accounts via a request to phpsftpd/users.php.
23-08-2017 - 12:29 23-08-2017 - 12:29
CVE-2017-12965 7.5
Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
23-08-2017 - 12:29 23-08-2017 - 12:29
CVE-2017-12984 4.3
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
21-08-2017 - 03:29 21-08-2017 - 03:29
CVE-2015-4071 5.0
The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attackers to read the support tickets of arbitrary users via obtaining the target ticketId, and navigating to http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}.
18-08-2017 - 14:29 18-08-2017 - 14:29
CVE-2017-9767 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Quali CloudShell before 8 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Name or (2) Description parameter to RM/Reservation/ReserveNew; the (3) Description p
18-08-2017 - 12:29 18-08-2017 - 12:29
CVE-2017-12943 5.0
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password.
18-08-2017 - 11:29 18-08-2017 - 11:29
CVE-2017-12853 6.8
The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affected by CSRF an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
14-08-2017 - 16:29 14-08-2017 - 16:29
CVE-2017-6327 6.5
The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. In thi
11-08-2017 - 16:29 11-08-2017 - 16:29
CVE-2014-5144 3.5
Cross-site scripting (XSS) vulnerability in Telescope before 0.9.3 allows remote authenticated users to inject arbitrary web script or HTML via crafted markdown.
09-08-2017 - 14:29 09-08-2017 - 14:29
CVE-2017-11155 5.0
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11154 6.5
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11153 7.5
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11152 5.0
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11151 7.5
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-10246 6.4
Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: iHelp). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthentic
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2015-7571 6.8
Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
07-08-2017 - 16:29 07-08-2017 - 16:29
CVE-2014-9262 5.5
The Duplicator plugin in Wordpress before 0.5.10 allows remote authenticated users to create and download backup files.
07-08-2017 - 13:29 07-08-2017 - 13:29
CVE-2017-11320 4.3
Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor TC7337 routers 08.89.17.20.00 allows an attacker to cause DNS Poisoning and steal credentials from the router.
03-08-2017 - 04:29 03-08-2017 - 04:29
CVE-2017-11356 4.0
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
02-08-2017 - 15:29 02-08-2017 - 15:29
CVE-2017-11355 4.3
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page
02-08-2017 - 15:29 02-08-2017 - 15:29
CVE-2017-11494 7.5
SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action.
02-08-2017 - 10:29 02-08-2017 - 10:29
CVE-2016-0736 5.0
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated en
27-07-2017 - 17:29 27-07-2017 - 17:29
CVE-2017-9413 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmi
25-07-2017 - 14:29 25-07-2017 - 14:29
CVE-2015-2798 7.5
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
25-07-2017 - 14:29 25-07-2017 - 14:29
CVE-2015-2280 9.0
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.
24-07-2017 - 21:29 24-07-2017 - 21:29
CVE-2015-2279 10.0
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, w
24-07-2017 - 21:29 24-07-2017 - 21:29
CVE-2017-9415 5.1
Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.
21-07-2017 - 10:29 21-07-2017 - 10:29
CVE-2017-7037 6.8
An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue inv
20-07-2017 - 12:29 20-07-2017 - 12:29
CVE-2017-6316 10.0
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than
20-07-2017 - 00:29 20-07-2017 - 00:29
CVE-2017-6320 9.0
A remote command injection vulnerability exists in the Barracuda Load Balancer product line (confirmed on v5.4.0.004 (2015-11-26) and v6.0.1.006 (2016-08-19); fixed in 6.1.0.003 (2017-01-17)) in which an authenticated user can execute arbitrary shell
18-07-2017 - 10:29 18-07-2017 - 10:29
CVE-2017-9813 4.3
In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312), the scriptName parameter of the licenseKeyInfo action method is vulnerable to cross-site scripting (XSS).
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-9812 5.0
The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges.
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-9811 10.0
The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine read and write operations, it is possible to elevate t
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-9810 6.8
There are no Anti-CSRF tokens in any forms on the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). This would allow an attacker to submit authenticated requests when an authenti
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-11346 7.5
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
17-07-2017 - 09:18 17-07-2017 - 09:18
CVE-2017-11165 5.0
dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI.
12-07-2017 - 08:29 12-07-2017 - 08:29
CVE-2017-7175 9.0
NfSen before 1.3.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the customfmt parameter (aka the "Custom output format" field).
10-07-2017 - 15:29 10-07-2017 - 15:29
CVE-2017-9791 7.5
The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
10-07-2017 - 12:29 10-07-2017 - 12:29
CVE-2017-6086 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST
27-06-2017 - 16:29 27-06-2017 - 16:29
CVE-2017-9833 5.0
/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges.
23-06-2017 - 22:29 23-06-2017 - 22:29
CVE-2015-9098 10.0
In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monit
22-06-2017 - 15:29 22-06-2017 - 15:29
CVE-2016-7508 6.0
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
21-06-2017 - 16:29 21-06-2017 - 16:29
CVE-2017-9757 6.5
IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.
19-06-2017 - 09:29 19-06-2017 - 09:29
CVE-2017-9730 7.5
SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
19-06-2017 - 08:29 19-06-2017 - 08:29
CVE-2017-9602 7.5
KBVault Mysql Free Knowledge Base application package 0.16a comes with a FileExplorer/Explorer.aspx?id=/Uploads file-management component. An unauthenticated user can access the file upload and deletion functionality. Through this functionality, a us
16-06-2017 - 09:29 16-06-2017 - 09:29
CVE-2017-9603 6.5
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php.
13-06-2017 - 14:29 13-06-2017 - 14:29
CVE-2017-9429 6.5
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php.
13-06-2017 - 14:29 13-06-2017 - 14:29
CVE-2017-9557 5.0
register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to discover passwords by sending the username parameter in conjunction with an empty password parameter, and reading the HTML source code of the response.
12-06-2017 - 11:29 12-06-2017 - 11:29
CVE-2017-9418 6.5
SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php.
12-06-2017 - 09:29 12-06-2017 - 09:29
CVE-2017-9543 5.0
register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm.
12-06-2017 - 02:29 12-06-2017 - 02:29
CVE-2014-8687 10.0
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.
08-06-2017 - 12:29 08-06-2017 - 12:29
CVE-2017-9516 3.5
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
08-06-2017 - 09:29 08-06-2017 - 09:29
CVE-2015-7346 7.5
SQL injection vulnerability in ZCMS 1.1.
07-06-2017 - 17:29 07-06-2017 - 17:29
CVE-2017-8841 7.5
Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmwar
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8840 5.0
Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LA
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8839 4.3
XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi.
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8838 4.3
XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi.
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8837 5.0
Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8836 6.8
CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to exec
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8835 7.5
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enume
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-9243 4.3
Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 has XSS on the Wireless Site Survey page, exploitable with the name of an access point.
28-05-2017 - 14:29 28-05-2017 - 14:29
CVE-2016-6256 6.8
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL
25-05-2017 - 21:29 25-05-2017 - 21:29
CVE-2017-1092 10.0
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.
22-05-2017 - 16:29 22-05-2017 - 16:29
CVE-2017-2528 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site t
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2515 6.8
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cau
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2510 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site t
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2508 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site t
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2504 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS)
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-9101 7.5
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
21-05-2017 - 14:29 21-05-2017 - 14:29
CVE-2017-7620 4.3
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which
21-05-2017 - 10:29 21-05-2017 - 10:29
CVE-2017-9100 8.3
login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt.
21-05-2017 - 00:29 21-05-2017 - 00:29
CVE-2017-9080 7.5
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.
19-05-2017 - 11:29 19-05-2017 - 11:29
CVE-2017-5174 7.5
An Authentication Bypass issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access contr
18-05-2017 - 23:29 18-05-2017 - 23:29
CVE-2017-5173 10.0
An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are
18-05-2017 - 23:29 18-05-2017 - 23:29
CVE-2017-8917 7.5
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
17-05-2017 - 19:29 17-05-2017 - 19:29
CVE-2017-8382 3.5
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-7953 3.5
INFOR EAM V11.0 Build 201410 has XSS via comment fields.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-7952 6.5
INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-8928 6.8
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
14-05-2017 - 18:29 14-05-2017 - 18:29
CVE-2017-8912 6.5
** DISPUTED ** CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor report
12-05-2017 - 03:29 12-05-2017 - 03:29
CVE-2017-7981 9.0
Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, an
11-05-2017 - 10:22 29-04-2017 - 12:59
CVE-2017-5638 10.0
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a
09-05-2017 - 21:29 10-03-2017 - 21:59
CVE-2017-8295 4.3
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for th
05-05-2017 - 21:29 04-05-2017 - 10:29
CVE-2017-7221 6.5
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docba
05-05-2017 - 20:09 25-04-2017 - 10:59
CVE-2017-3549 7.5
Vulnerability in the Oracle Scripting component of Oracle E-Business Suite (subcomponent: Scripting Administration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerabilit
04-05-2017 - 14:01 24-04-2017 - 15:59
CVE-2017-3548 6.4
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attac
04-05-2017 - 11:54 24-04-2017 - 15:59
CVE-2017-3546 6.4
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated a
04-05-2017 - 11:54 24-04-2017 - 15:59
CVE-2015-8257 9.0
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_param
02-05-2017 - 10:59 02-05-2017 - 10:59
CVE-2016-4313 6.8
Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file.
01-05-2017 - 21:59 24-04-2017 - 14:59
CVE-2017-5631 4.3
An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string.
01-05-2017 - 10:59 01-05-2017 - 10:59
CVE-2014-7235 10.0
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP uns
28-04-2017 - 21:59 07-10-2014 - 10:55
CVE-2015-7247 7.8
D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain se
28-04-2017 - 14:49 24-04-2017 - 14:59
CVE-2015-7246 10.0
D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access.
28-04-2017 - 14:33 24-04-2017 - 14:59
CVE-2015-7245 5.0
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter.
28-04-2017 - 13:47 24-04-2017 - 14:59
CVE-2015-7568 7.5
SQL injection vulnerability in the password recovery feature in Yeager CMS 1.2.1 allows remote attackers to change the account credentials of known users via the "userEmail" parameter.
28-04-2017 - 12:26 24-04-2017 - 14:59
CVE-2015-7569 7.5
SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager CMS 1.2.1 allows local users to execute arbitrary SQL commands via the "pagedir_orderby" parameter.
27-04-2017 - 15:15 24-04-2017 - 14:59
CVE-2015-7570 6.4
Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_lite/tests/test_adodb_lite.php, libs/org/adodb_lit
27-04-2017 - 13:45 24-04-2017 - 14:59
CVE-2015-8256 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
24-04-2017 - 20:40 17-04-2017 - 12:59
CVE-2016-5312 4.0
Directory traversal vulnerability in the charting component in Symantec Messaging Gateway before 10.6.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the sn parameter to brightmail/servlet/com.ve.kavachart.servlet.Ch
22-04-2017 - 10:16 14-04-2017 - 14:59
CVE-2015-8356 6.0
Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (
22-04-2017 - 10:12 14-04-2017 - 10:59
CVE-2015-6567 6.5
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access
21-04-2017 - 14:22 14-04-2017 - 12:59
CVE-2015-6568 6.5
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for
21-04-2017 - 14:21 14-04-2017 - 12:59
CVE-2017-7615 6.5
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
21-04-2017 - 12:08 16-04-2017 - 10:59
CVE-2017-7725 4.3
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any
20-04-2017 - 17:15 13-04-2017 - 13:59
CVE-2015-7562 4.3
Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role.
20-04-2017 - 09:41 12-04-2017 - 18:59
CVE-2015-7563 6.8
Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user.
20-04-2017 - 09:40 12-04-2017 - 18:59
CVE-2015-7564 7.5
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in
20-04-2017 - 08:32 12-04-2017 - 18:59
CVE-2016-4337 7.5
SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action.
19-04-2017 - 15:47 12-04-2017 - 18:59
CVE-2016-1915 4.3
Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/l
19-04-2017 - 15:46 13-04-2017 - 10:59
CVE-2016-1914 6.8
Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) m
19-04-2017 - 15:45 13-04-2017 - 10:59
CVE-2015-8284 6.5
SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2015-8283 6.8
Directory traversal vulnerability in configure_manage.php in SeaWell Networks Spectrum SDC 02.05.00.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2015-8282 7.5
SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admin" for the "admin" account.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2017-7462 7.5
Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a remote attacker access to a vendor-supplied CGI script in the web directory.
18-04-2017 - 11:59 11-04-2017 - 11:59
CVE-2017-7461 6.8
Directory traversal vulnerability in the web-based management site on the Intellinet NFC-30ir IP Camera with firmware LM.1.6.16.05 allows remote attackers to read arbitrary files via a request to a vendor-supplied CGI script that is used to read HTML
18-04-2017 - 11:56 11-04-2017 - 11:59
CVE-2017-6206 5.0
D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vecto
17-04-2017 - 21:59 23-02-2017 - 01:59
CVE-2017-6088 9.0
Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter to module/monitoring_ged/ged
17-04-2017 - 14:18 11-04-2017 - 14:59
CVE-2017-7588 10.0
On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC
17-04-2017 - 11:44 12-04-2017 - 06:59
CVE-2017-5607 4.3
Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window name
17-04-2017 - 09:26 10-04-2017 - 11:59
CVE-2017-6190 5.0
Directory traversal vulnerability in the web interface on the D-Link DWR-116 device with firmware before V1.05b09 allows remote attackers to read arbitrary files via a .. (dot dot) in a "GET /uir/" request.
14-04-2017 - 21:59 10-04-2017 - 10:59
CVE-2015-8258 7.8
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
13-04-2017 - 15:57 09-04-2017 - 23:59
CVE-2015-8255 6.8
AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.
13-04-2017 - 14:59 09-04-2017 - 23:59
CVE-2017-7571 6.0
public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges.
12-04-2017 - 16:36 06-04-2017 - 13:59
CVE-2017-6884 9.0
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors t
12-04-2017 - 14:29 06-04-2017 - 13:59
CVE-2017-7398 6.8
D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability. This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated, as demonstrated by chang
11-04-2017 - 11:04 04-04-2017 - 10:59
CVE-2014-1677 5.0
Technicolor TC7200 with firmware STD6.01.12 could allow remote attackers to obtain sensitive information.
11-04-2017 - 09:36 03-04-2017 - 11:59
CVE-2017-7447 6.8
HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote execution of arbitrary PHP code.
10-04-2017 - 21:59 05-04-2017 - 18:59
CVE-2017-7446 6.8
HelpDEZk 1.1.1 has CSRF in admin/home#/person/ with an impact of obtaining admin privileges.
10-04-2017 - 18:19 05-04-2017 - 18:59
CVE-2017-7402 7.5
Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/
10-04-2017 - 12:24 03-04-2017 - 13:59
CVE-2014-9916 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tribe_name or (2) tags parameter in a tribes page request to user/ or the (3) user_id or (4) fullname par
07-04-2017 - 19:58 23-02-2017 - 21:59
CVE-2017-2442 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit JavaScript Bindings" component. It allows remote attackers to bypass the Same Origin Policy and obtain sens
07-04-2017 - 14:42 01-04-2017 - 21:59
CVE-2017-2479 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. tvOS before 10.2 is affected. The issue involves the
07-04-2017 - 14:41 01-04-2017 - 21:59
CVE-2017-2457 6.8
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corru
06-04-2017 - 15:33 01-04-2017 - 21:59
CVE-2017-2480 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. tvOS before 10.2 is affected. The issue involves the
06-04-2017 - 15:30 01-04-2017 - 21:59
CVE-2017-2445 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attack
06-04-2017 - 15:08 01-04-2017 - 21:59
CVE-2017-2367 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and o
06-04-2017 - 15:08 01-04-2017 - 21:59
CVE-2017-6549 9.3
Session hijack vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N
05-04-2017 - 21:59 09-03-2017 - 04:59
CVE-2017-6548 10.0
Buffer overflows in networkmap on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, an
05-04-2017 - 21:59 09-03-2017 - 04:59
CVE-2017-6547 4.3
Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-A
05-04-2017 - 21:59 09-03-2017 - 04:59
CVE-2017-6182 7.5
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
04-04-2017 - 14:42 30-03-2017 - 13:59
CVE-2015-8309 4.0
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
29-03-2017 - 21:59 27-03-2017 - 11:59
CVE-2017-6366 6.8
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dn
29-03-2017 - 10:03 15-03-2017 - 10:59
CVE-2017-6087 6.5
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_f
28-03-2017 - 21:59 24-03-2017 - 10:59
CVE-2017-5869 6.5
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.
28-03-2017 - 21:59 24-03-2017 - 10:59
CVE-2016-1000125 7.5
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
28-03-2017 - 14:31 06-10-2016 - 10:59
CVE-2016-1000124 7.5
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
28-03-2017 - 14:31 06-10-2016 - 10:59
CVE-2017-2641 7.5
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
28-03-2017 - 13:16 26-03-2017 - 14:59
CVE-2017-6972 10.0
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulnerability than CVE-2017-6970 and CVE-2017-6971.
28-03-2017 - 12:36 22-03-2017 - 16:59
CVE-2017-6971 9.0
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka Alien
28-03-2017 - 12:24 22-03-2017 - 10:59
CVE-2017-6361 10.0
QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.
28-03-2017 - 10:44 23-03-2017 - 12:59
CVE-2017-6359 10.0
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors.
28-03-2017 - 10:39 23-03-2017 - 12:59
CVE-2017-6360 10.0
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
28-03-2017 - 10:37 23-03-2017 - 12:59
CVE-2017-6896 6.5
Privilege escalation vulnerability on the DIGISOL DG-HR1400 1.00.02 wireless router enables an attacker to escalate from user privilege to admin privilege just by modifying the Base64-encoded session cookie value.
24-03-2017 - 21:59 14-03-2017 - 16:59
CVE-2017-6803 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin pa
23-03-2017 - 13:22 20-03-2017 - 12:59
CVE-2017-6550 7.5
Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson (formerly ESBUS) allow remote attackers to execute arbitrary SQL commands via the (1) TABLE parameter to esbus/servlet/GetSQLData or (2) QUERY parameter to KK_LS9ReportingPortal/GetData.
23-03-2017 - 11:09 20-03-2017 - 12:59
CVE-2017-5496 5.0
Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash.
21-03-2017 - 14:43 15-03-2017 - 11:59
CVE-2016-8855 4.3
Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. 160519 (8.1 Update-3) allows remote attacks via the Name or Description parameter. This is fixed in 8.2 Update-
21-03-2017 - 10:30 19-03-2017 - 14:59
CVE-2016-6174 6.8
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execut
20-03-2017 - 21:59 12-07-2016 - 15:59
CVE-2017-6823 6.5
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
16-03-2017 - 21:59 12-03-2017 - 00:59
CVE-2017-6443 4.3
Cross-site scripting (XSS) vulnerability in EPSON TMNet WebConfig 1.00 allows remote attackers to inject arbitrary web script or HTML via the W_AD1 parameter to Forms/oadmin_1.
16-03-2017 - 14:17 15-03-2017 - 11:59
CVE-2017-6529 6.8
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter.
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2017-6528 4.3
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affected by plaintext password storage (the /home/dna/spool/.pfile file).
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2017-6527 5.0
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to a NUL-terminated directory traversal attack allowing an unauthenticated attacker to access system files readable by the web server user (by using the viewAppletFsa.cgi se
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2017-6526 10.0
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2016-10043 10.0
An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS comm
13-03-2017 - 10:59 31-01-2017 - 13:59
CVE-2015-6023 7.5
ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote attackers to bypass intended access restrictions via a direct request. NOTE: this issue can be combined with CVE-2015-6024 to e
09-03-2017 - 15:33 09-02-2017 - 10:59
CVE-2015-6024 10.0
ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the DIA_IPADDRESS parameter.
09-03-2017 - 15:28 09-02-2017 - 10:59
CVE-2017-6411 6.8
Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devices allows remote attackers to change the DNS or firewall configuration or any password.
07-03-2017 - 21:59 06-03-2017 - 01:59
CVE-2017-6334 9.0
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-20
07-03-2017 - 20:33 05-03-2017 - 21:59
CVE-2017-6104 5.0
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.
07-03-2017 - 09:17 02-03-2017 - 17:59
CVE-2017-5344 7.5
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklis
06-03-2017 - 21:59 17-02-2017 - 02:59
CVE-2017-5982 5.0
Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files via a %2E%2E%252e (encoded dot dot slash) in the image path, as demonstrated by image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd.
02-03-2017 - 21:59 28-02-2017 - 13:59
CVE-2017-6077 10.0
ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request.
01-03-2017 - 21:59 22-02-2017 - 18:59
CVE-2016-9682 10.0
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in its web administrative interface. These vulnerabilities occur in the diagnostics CGI (/cgi-bin/diagnostics) component re
01-03-2017 - 21:59 22-02-2017 - 00:59
CVE-2015-2794 7.5
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
01-03-2017 - 21:59 06-02-2017 - 10:59
CVE-2016-6175 7.5
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
28-02-2017 - 12:49 07-02-2017 - 10:59
CVE-2017-5630 5.0
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess ove
28-02-2017 - 10:34 01-02-2017 - 18:59
CVE-2016-3694 7.5
Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status par
23-02-2017 - 13:20 15-02-2017 - 14:59
CVE-2017-6097 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.
23-02-2017 - 10:07 21-02-2017 - 02:59
CVE-2017-6096 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.
23-02-2017 - 10:07 21-02-2017 - 02:59
CVE-2017-6095 7.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.
23-02-2017 - 10:00 21-02-2017 - 02:59
CVE-2017-6098 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.
23-02-2017 - 09:57 21-02-2017 - 02:59
CVE-2016-4312 6.0
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, co
22-02-2017 - 11:23 16-02-2017 - 21:59
CVE-2016-4311 6.8
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-s
22-02-2017 - 11:20 16-02-2017 - 21:59
CVE-2017-2371 4.3
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "WebKit" component, which allows remote attackers to launch popups via a crafted web site.
22-02-2017 - 10:58 20-02-2017 - 03:59
CVE-2017-2365 4.3
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy
22-02-2017 - 10:56 20-02-2017 - 03:59
CVE-2017-2364 4.3
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive informatio
22-02-2017 - 10:56 20-02-2017 - 03:59
CVE-2017-2363 4.3
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "WebKit" component. It allows remote attacker
22-02-2017 - 10:56 20-02-2017 - 03:59
CVE-2009-0674 6.0
images/captcha.php in Raven Web Services RavenNuke 2.30, when register_globals and display_errors are enabled, allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter, an
19-02-2017 - 00:26 22-02-2009 - 17:30
CVE-2008-6282 6.5
SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS Ortus 1.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the city parameter in a users_edit_pub action to index.php.
19-02-2017 - 00:25 25-02-2009 - 18:30
CVE-2008-5589 7.5
SQL injection vulnerability in processlogin.asp in Katy Whitton RankEm allows remote attackers to execute arbitrary SQL commands via the (1) txtusername parameter (aka username field) or the (2) txtpassword parameter (aka password field). NOTE: some
19-02-2017 - 00:24 16-12-2008 - 14:07
CVE-2008-3307 7.5
SQL injection vulnerability in todos.php in C. Desseno YouTube Blog (ytb) 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3306.
19-02-2017 - 00:23 25-07-2008 - 12:41
CVE-2006-0944 7.5
Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1.
19-02-2017 - 00:11 28-02-2006 - 21:02
CVE-2016-4316 4.3
Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to w
17-02-2017 - 12:42 16-02-2017 - 21:59
CVE-2016-4314 4.0
Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp.
17-02-2017 - 12:42 16-02-2017 - 21:59
CVE-2016-4315 3.5
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp.
17-02-2017 - 12:35 16-02-2017 - 21:59
CVE-2016-9351 6.0
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. The directory traversal/file upload error allows an attacker to upload and unpack a zip file.
17-02-2017 - 09:22 13-02-2017 - 16:59
CVE-2016-9349 5.0
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure.
17-02-2017 - 09:06 13-02-2017 - 16:59
CVE-2016-2539 6.8
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving
15-02-2017 - 08:18 07-02-2017 - 10:59
CVE-2016-6433 9.0
The Threat Management Console in Cisco Firepower Management Center 5.2.0 through 6.0.1 allows remote authenticated users to execute arbitrary commands via crafted web-application parameters, aka Bug ID CSCva30872.
10-02-2017 - 21:59 06-10-2016 - 06:59
CVE-2016-7400 7.5
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller acti
09-02-2017 - 17:25 07-02-2017 - 10:59
CVE-2016-6603 5.0
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-6602 5.0
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combin
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-6601 5.0
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-6600 7.5
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-4793 5.0
The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
31-01-2017 - 21:59 23-01-2017 - 16:59
CVE-2017-5594 4.3
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureL
27-01-2017 - 21:59 25-01-2017 - 13:59
CVE-2014-2045 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in
26-01-2017 - 14:32 20-01-2017 - 10:59
CVE-2017-5473 6.8
Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/passwo
26-01-2017 - 13:15 14-01-2017 - 02:59
CVE-2016-10045 7.5
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal esca
25-01-2017 - 21:59 30-12-2016 - 14:59
CVE-2016-10033 7.5
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
25-01-2017 - 21:59 30-12-2016 - 14:59
CVE-2016-4010 7.5
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
25-01-2017 - 14:41 23-01-2017 - 16:59
CVE-2016-4340 6.5
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
25-01-2017 - 08:59 23-01-2017 - 16:59
CVE-2017-5521 4.3
An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. Th
23-01-2017 - 14:14 17-01-2017 - 04:59
CVE-2016-6896 5.5
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugi
20-01-2017 - 10:31 18-01-2017 - 16:59
CVE-2016-6283 4.3
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action.
20-01-2017 - 08:58 18-01-2017 - 17:59
CVE-2016-6897 4.3
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by
20-01-2017 - 08:58 18-01-2017 - 16:59
CVE-2016-6435 4.0
The web console in Cisco Firepower Management Center 6.0.1 allows remote authenticated users to read arbitrary files via crafted parameters, aka Bug ID CSCva30376.
19-01-2017 - 21:59 06-10-2016 - 06:59
CVE-2009-0441 6.8
PHP remote file inclusion vulnerability in skin_shop/standard/2_view_body/body_default.php in TECHNOTE 7.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter, a diff
19-01-2017 - 21:59 10-02-2009 - 02:00
CVE-2008-4138 10.0
PHP remote file inclusion vulnerability in skin_shop/standard/3_plugin_twindow/twindow_notice.php in TECHNOTE 7 allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter.
19-01-2017 - 21:59 24-09-2008 - 01:41
CVE-2006-3142 7.5
SQL injection vulnerability in forum.php in VBZooM 1.11 allows remote attackers to execute arbitrary SQL commands via the MainID parameter.
19-01-2017 - 21:59 22-06-2006 - 18:06
CVE-2016-4806 5.0
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
19-01-2017 - 11:29 11-01-2017 - 11:59
CVE-2016-4808 6.8
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed applica
19-01-2017 - 11:18 11-01-2017 - 11:59
CVE-2017-5487 5.0
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp
18-01-2017 - 21:59 14-01-2017 - 21:59
CVE-2016-4807 3.5
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
11-01-2017 - 15:09 11-01-2017 - 11:59
CVE-2016-0891 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.
10-01-2017 - 23:10 20-04-2016 - 13:59
CVE-2016-10114 7.5
SQL injection vulnerability in the "aWeb Cart Watching System for Virtuemart" extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch.
10-01-2017 - 21:59 03-01-2017 - 21:59
CVE-2015-4594 7.5
eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.
10-01-2017 - 19:21 10-01-2017 - 10:59
CVE-2015-4591 4.3
eClinicalWorks Population Health (CCMR) suffers from a cross site scripting vulnerability in login.jsp which allows remote unauthenticated users to inject arbitrary javascript via the strMessage parameter.
10-01-2017 - 11:33 10-01-2017 - 10:59
CVE-2015-4593 6.8
eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the c
10-01-2017 - 11:33 10-01-2017 - 10:59
CVE-2015-4592 7.5
eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input.
10-01-2017 - 11:33 10-01-2017 - 10:59
CVE-2014-8727 6.2
Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (dot dot) in the name parameter to (1) tmui/Control/j
06-01-2017 - 22:00 17-11-2014 - 11:59
CVE-2014-6271 10.0
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceComman
06-01-2017 - 22:00 24-09-2014 - 14:48
CVE-2014-3857 6.5
Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php.
06-01-2017 - 22:00 03-07-2014 - 10:55
CVE-2014-2399 4.3
Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerab
06-01-2017 - 21:59 15-04-2014 - 21:55
CVE-2013-5528 4.0
Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug I
04-01-2017 - 09:52 10-10-2013 - 23:54
CVE-2016-10074 7.5
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mai
03-01-2017 - 13:56 30-12-2016 - 14:59
CVE-2016-10034 7.5
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently e
03-01-2017 - 13:07 30-12-2016 - 14:59
CVE-2014-6593 4.0
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
02-01-2017 - 21:59 21-01-2015 - 10:28
CVE-2014-6278 10.0
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the Force
02-01-2017 - 21:59 30-09-2014 - 06:55
CVE-2015-4127 4.3
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin
30-12-2016 - 21:59 28-05-2015 - 10:59
CVE-2015-4010 6.8
Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the
30-12-2016 - 21:59 09-06-2015 - 10:59
CVE-2015-2125 4.0
Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10.4 update 1 allows remote authenticated users to bypass intended access restrictions via unknown vectors.
30-12-2016 - 21:59 07-06-2015 - 14:59
CVE-2015-1833 6.4
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to
30-12-2016 - 21:59 29-05-2015 - 11:59
CVE-2015-1389 4.3
Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action.
30-12-2016 - 21:59 28-05-2015 - 10:59
CVE-2013-7349 7.5
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.ph
30-12-2016 - 21:59 31-03-2014 - 23:25
CVE-2013-7316 4.3
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.
30-12-2016 - 21:59 24-01-2014 - 10:08
CVE-2013-7274 3.5
Cross-site scripting (XSS) vulnerability in Wallpaper Script 3.5.0082 allows remote authenticated users to inject arbitrary web script or HTML via the title field in a wallpaper file upload.
30-12-2016 - 21:59 08-01-2014 - 10:29
CVE-2013-5640 7.5
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php,
30-12-2016 - 21:59 31-03-2014 - 23:24
CVE-2013-5573 4.3
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
30-12-2016 - 21:59 31-12-2013 - 11:04
CVE-2011-0997 7.5
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstra
30-12-2016 - 21:59 08-04-2011 - 11:17
CVE-2015-1793 6.4
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers t
27-12-2016 - 21:59 09-07-2015 - 15:17
CVE-2016-6277 9.3
NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6
23-12-2016 - 21:59 14-12-2016 - 11:59
CVE-2015-5161 6.8
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML e
23-12-2016 - 21:59 25-08-2015 - 13:59
CVE-2014-2962 7.8
Absolute path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.
23-12-2016 - 21:59 19-06-2014 - 06:50
CVE-2016-7065 6.5
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
22-12-2016 - 21:59 13-10-2016 - 10:59
CVE-2016-9838 5.0
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account an
22-12-2016 - 11:27 16-12-2016 - 04:59
CVE-2016-0492 6.4
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing fo
22-12-2016 - 09:39 20-01-2016 - 22:00
CVE-2016-0491 6.4
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect integrity and availability via unknown vectors related to Load Testing for W
22-12-2016 - 09:38 20-01-2016 - 22:00
CVE-2016-1000123 7.5
Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
22-12-2016 - 09:21 06-10-2016 - 10:59
CVE-2015-7235 7.5
Multiple SQL injection vulnerabilities in dex_reservations.php in the CP Reservation Calendar plugin before 1.1.7 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a dex_reservations_calendar_load2 act
21-12-2016 - 22:00 17-09-2015 - 12:59
CVE-2015-6973 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2
21-12-2016 - 22:00 16-09-2015 - 15:59
CVE-2015-6962 7.5
SQL injection vulnerability in the web application in Farol allows remote attackers to execute arbitrary SQL commands via the email parameter to tkmonitor/estrutura/login/Login.actions.php.
21-12-2016 - 22:00 17-09-2015 - 11:59
CVE-2015-6827 6.8
Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php.
21-12-2016 - 22:00 11-09-2015 - 11:59
CVE-2015-6805 3.5
Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.
21-12-2016 - 22:00 02-09-2015 - 10:59
CVE-2015-6655 6.8
Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via a request to admin/admin_users.php.
21-12-2016 - 22:00 31-08-2015 - 15:59
CVE-2015-6545 6.8
Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action.
21-12-2016 - 22:00 03-09-2015 - 13:59
CVE-2015-2321 4.3
Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the email field.
21-12-2016 - 21:59 13-08-2015 - 10:59
CVE-2012-6644 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to channels.php, (2) collections.php, (3) groups.php, or (4) videos.php; (5) query parameter
21-12-2016 - 21:59 08-04-2014 - 10:22
CVE-2016-5740 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mai
16-12-2016 - 14:24 15-12-2016 - 01:59
CVE-2016-6851 4.3
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication
16-12-2016 - 12:09 15-12-2016 - 01:59
CVE-2016-6853 4.3
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get ex
16-12-2016 - 12:09 15-12-2016 - 01:59
CVE-2016-6854 4.3
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can
16-12-2016 - 12:09 15-12-2016 - 01:59
CVE-2015-6522 7.5
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.
09-12-2016 - 09:29 19-08-2015 - 11:59
CVE-2015-7387 7.5
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do,
07-12-2016 - 22:13 28-09-2015 - 11:59
CVE-2015-5531 5.0
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
07-12-2016 - 22:10 17-08-2015 - 11:59
CVE-2015-5075 6.8
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
07-12-2016 - 22:09 29-09-2015 - 15:59
CVE-2015-5074 7.5
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht ext
07-12-2016 - 22:09 29-09-2015 - 15:59
CVE-2008-6740 6.8
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
07-12-2016 - 22:01 21-04-2009 - 14:30
CVE-2008-5191 7.5
Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and the (2) sp_id parameter to staticpages.php.
07-12-2016 - 22:01 21-11-2008 - 12:30
CVE-2015-8562 7.5
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
07-12-2016 - 13:28 16-12-2015 - 16:59
CVE-2015-8358 9.0
Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the "work" array parameter to admin/bitrix.m
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-8357 6.5
Directory traversal vulnerability in the bitrix.xscan module before 1.0.4 for Bitrix allows remote authenticated users to rename arbitrary files, and consequently obtain sensitive information or cause a denial of service, via a .. (dot dot) in the fi
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-7986 7.5
The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 2197428.
07-12-2016 - 13:25 27-10-2015 - 12:59
CVE-2015-7984 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that
07-12-2016 - 13:25 19-11-2015 - 15:59
CVE-2015-6018 10.0
The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attackers to execute arbitrary commands via the PingIPAddr parameter.
07-12-2016 - 13:17 31-12-2015 - 00:59
CVE-2015-5999 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password
07-12-2016 - 13:17 18-11-2015 - 11:59
CVE-2015-5603 6.5
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
07-12-2016 - 13:17 21-09-2015 - 15:59
CVE-2015-5534 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2)
07-12-2016 - 13:16 02-11-2015 - 14:59
CVE-2015-5354 5.8
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
07-12-2016 - 13:16 01-07-2015 - 12:59
CVE-2015-5353 7.5
Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tab parameter to admin/.
07-12-2016 - 13:16 01-07-2015 - 12:59
CVE-2015-5149 5.5
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.
07-12-2016 - 13:15 30-06-2015 - 10:59
CVE-2015-5065 5.0
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl
07-12-2016 - 13:15 24-06-2015 - 10:59
CVE-2015-4677 6.8
Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka Fiverr Script) 7.2 allows remote attackers to hijack the authentication of administrators for requests that create a new admin via a request to administrator/admins_create.php.
07-12-2016 - 13:13 19-06-2015 - 10:59
CVE-2015-4659 6.8
Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php.
07-12-2016 - 13:13 18-06-2015 - 14:59
CVE-2015-4460 6.8
Cross-site request forgery (CSRF) vulnerability in SecuritySetting/UserSecurity/UserManagement.aspx in B.A.S C2Box before 4.0.0 (r19171) allows remote attackers to hijack the authentication of administrators for requests that add administrator accoun
07-12-2016 - 13:12 16-07-2015 - 16:59
CVE-2015-4414 5.0
Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
07-12-2016 - 13:12 17-06-2015 - 14:59
CVE-2015-4153 5.0
Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the template parameter in a load_template action to wp-admin
07-12-2016 - 13:11 10-06-2015 - 14:59
CVE-2010-1622 6.0
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .ja
06-12-2016 - 21:59 21-06-2010 - 12:30
CVE-2014-3120 6.8
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended se
06-12-2016 - 13:13 28-07-2014 - 15:55
CVE-2016-1525 7.8
Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter.
05-12-2016 - 22:07 12-02-2016 - 21:59
CVE-2016-1524 8.3
Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP fi
05-12-2016 - 22:07 12-02-2016 - 21:59
CVE-2016-0956 7.8
The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors.
05-12-2016 - 22:06 10-02-2016 - 15:59
CVE-2016-0862 4.0
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to obtain sensitive cleartext account information via unspecified vectors.
05-12-2016 - 22:05 05-02-2016 - 06:59
CVE-2016-0861 9.0
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors.
05-12-2016 - 22:05 05-02-2016 - 06:59
CVE-2015-8770 6.0
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execu
05-12-2016 - 22:04 29-01-2016 - 14:59
CVE-2015-4137 7.5
SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 allows remote attackers to execute arbitrary SQL commands via the program parameter.
05-12-2016 - 22:02 29-05-2015 - 10:59
CVE-2015-4119 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php
05-12-2016 - 22:02 15-06-2015 - 11:59
CVE-2015-4118 6.5
SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote atta
05-12-2016 - 22:02 15-06-2015 - 11:59
CVE-2015-4084 4.3
Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.
05-12-2016 - 22:02 28-05-2015 - 10:59
CVE-2015-3624 5.8
Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx in Ektron Content Management System (CMS) before 9.10 SP1 (Build 9.1.0.184.1.120) allows remote attackers to hijack the authentication of content ad
05-12-2016 - 22:01 09-06-2015 - 10:59
CVE-2015-3443 3.5
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly h
05-12-2016 - 22:01 02-07-2015 - 10:59
CVE-2015-3440 4.3
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type
05-12-2016 - 22:01 03-08-2015 - 10:59
CVE-2016-4004 4.0
Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile.
02-12-2016 - 22:27 12-04-2016 - 13:59
CVE-2016-2203 2.1
The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges.
02-12-2016 - 22:24 22-04-2016 - 14:59
CVE-2016-1596 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2016-1595 4.0
LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entit
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2016-1594 4.0
Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action.
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2016-1593 6.5
Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2015-3141 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies Xeams 4.5 Build 5755 and earlier allow remote attackers to hijack the authentication of administrators for requests that create an (1) SMTP domain or a (2) user vi
02-12-2016 - 22:08 20-05-2015 - 15:59
CVE-2015-2845 10.0
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2844 10.0
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2843 7.5
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2842 10.0
Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute arbitrary code by uploading a file with an executab
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2841 5.0
Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types.
02-12-2016 - 22:06 03-04-2015 - 10:59
CVE-2015-2838 6.8
Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metachar
02-12-2016 - 22:06 03-04-2015 - 10:59
CVE-2015-2825 7.5
Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a dire
02-12-2016 - 22:06 21-04-2015 - 11:59
CVE-2015-2824 7.5
Multiple SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress allow remote attackers to execute arbitrary SQL commands via a (1) hits[][] parameter in a sam_hits action to sam-ajax.php; the (2) cstr parameter in
02-12-2016 - 22:06 06-04-2015 - 11:59
CVE-2015-2805 6.8
Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01,
02-12-2016 - 22:06 16-06-2015 - 12:59
CVE-2015-2803 6.0
SQL injection vulnerability in mod1/index.php in the Akronymmanager (sb_akronymmanager) extension before 7.0.0 for TYPO3 allows remote authenticated users with permission to maintain acronyms to execute arbitrary SQL commands via the id parameter.
02-12-2016 - 22:06 17-06-2015 - 14:59
CVE-2015-2746 6.5
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell me
02-12-2016 - 22:05 26-03-2015 - 10:59
CVE-2015-2701 6.8
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
02-12-2016 - 22:05 25-03-2015 - 10:59
CVE-2015-2682 5.0
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via a direct request to conf/securitydbData.xml.
02-12-2016 - 22:05 26-03-2015 - 10:59
CVE-2015-2680 6.8
Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS before 0.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request in the users page to gxadmin/index
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2679 7.5
Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php.
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2678 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2562 7.5
Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD (com_ecommercewd) component 1.2.5 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) search_category_id, (2) sort_order, or (3) filter_manufacturer_id
02-12-2016 - 22:05 20-03-2015 - 10:59
CVE-2015-2295 6.8
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the del
02-12-2016 - 22:04 10-04-2015 - 11:00
CVE-2015-2294 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firew
02-12-2016 - 22:04 01-04-2015 - 10:59
CVE-2015-2292 6.5
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL com
02-12-2016 - 22:04 17-03-2015 - 11:59
CVE-2015-2275 4.3
Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy.
02-12-2016 - 22:04 12-03-2015 - 13:59
CVE-2015-2248 6.8
Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for r
02-12-2016 - 22:04 01-05-2015 - 11:59
CVE-2015-2237 7.5
Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) 1.0.4 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showprofile.php or (2) categoryedit.php or (3) username parameter in a login to index.php
02-12-2016 - 22:04 12-03-2015 - 13:59
CVE-2015-2218 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1)
02-12-2016 - 22:04 05-03-2015 - 11:59
CVE-2015-2216 7.5
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.
02-12-2016 - 22:04 05-03-2015 - 10:59
CVE-2015-2169 4.3
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned
02-12-2016 - 22:04 24-06-2015 - 10:59
CVE-2015-2166 5.0
Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI.
02-12-2016 - 22:04 06-04-2015 - 11:59
CVE-2010-4279 10.0
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in
02-12-2016 - 21:59 02-12-2010 - 12:15
CVE-2016-2389 7.8
Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter t
30-11-2016 - 22:09 16-02-2016 - 10:59
CVE-2016-2388 5.0
The Universal Worklist Configuration in SAP NetWeaver 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
30-11-2016 - 22:09 16-02-2016 - 10:59
CVE-2016-2386 7.5
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
30-11-2016 - 22:08 16-02-2016 - 10:59
CVE-2016-3976 5.0
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
29-11-2016 - 22:05 07-04-2016 - 19:59
CVE-2016-3974 7.5
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~m
29-11-2016 - 22:05 07-04-2016 - 15:59
CVE-2016-2296 7.5
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
29-11-2016 - 22:04 14-05-2016 - 12:59
CVE-2015-2102 7.5
SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter.
29-11-2016 - 22:01 27-02-2015 - 10:59
CVE-2015-2090 7.5
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-a
29-11-2016 - 22:01 26-02-2015 - 10:59
CVE-2015-2084 6.8
Cross-site request forgery (CSRF) vulnerability in the Easy Social Icons plugin before 1.2.3 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the ima
29-11-2016 - 22:00 25-02-2015 - 17:59
CVE-2015-2071 4.0
Directory traversal vulnerability in cm/newui/blog/export.jsp in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the filepath parameter.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2070 7.5
SQL injection vulnerability in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote attackers to execute arbitrary SQL commands via the catId parameter to cm/blogrss/feed.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2068 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2067 5.0
Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2065 7.5
SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in a rss action to wp-admi
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2016-8582 7.5
A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via MySQL's LOAD_FILE.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-8581 4.3
A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the current sessions are viewed by an administrator.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-8580 7.5
PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code execution via magic methods in included classes.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-7851 4.3
Adobe Connect version 9.5.6 and earlier does not adequately validate input in the events registration module. This vulnerability could be exploited in cross-site scripting attacks.
28-11-2016 - 15:39 08-11-2016 - 12:59
CVE-2016-6483 5.0
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and
28-11-2016 - 15:33 01-09-2016 - 21:59
CVE-2016-6186 4.3
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to
28-11-2016 - 15:30 05-08-2016 - 11:59
CVE-2016-5840 9.0
hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.
28-11-2016 - 15:29 30-06-2016 - 12:59
CVE-2016-5734 7.5
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a craf
28-11-2016 - 15:29 02-07-2016 - 21:59
CVE-2016-4469 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new repository proxy connectors via the token parameter to
28-11-2016 - 15:18 28-07-2016 - 12:59
CVE-2016-4309 7.6
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.
28-11-2016 - 15:17 30-06-2016 - 13:59
CVE-2016-4264 6.4
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity
28-11-2016 - 15:17 01-09-2016 - 19:59
CVE-2016-3473 4.0
Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality via unknown vectors.
28-11-2016 - 15:09 25-10-2016 - 10:29
CVE-2016-1611 7.2
Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses world-writable permissions for /etc/profile.d/vainit.sh, which allows local users to gain privileges by replacing this file's content with arbitrary shell commands.
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1610 5.0
Directory traversal vulnerability in the email-template feature in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote attackers to bypass intended access restrictions and write to arbitrary files via a .. (dot dot
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1609 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input, as demonstrated by a crafted a
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1608 9.0
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1607 6.5
Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settin
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1337 4.3
Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178.
28-11-2016 - 14:58 03-07-2016 - 17:59
CVE-2016-1336 7.8
goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a "Gateway HTTP Corruption Denial of Service" issue, aka Bug ID CSCuy28100.
28-11-2016 - 14:58 03-07-2016 - 17:59
CVE-2016-1328 7.8
goform/WClientMACList on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long h_sortWireless parameter, related to a "Gateway Client List Denial of Service" issue, aka Bug ID CSCux24948.
28-11-2016 - 14:58 03-07-2016 - 17:59
CVE-2015-7252 4.3
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to inject arbitrary web script or HTML via the errorpage parameter.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7251 10.0
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, which allows remote attackers to obtain administrative access via a TELNET session.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7250 7.8
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7249 6.8
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote authenticated users to bypass intended access restrictions via a modified request, as demonstrated by leveraging the support account to change a password via a cgi-bin/webproc a
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7248 5.0
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password hashes by reading the cgi-bin/webproc HTML source code, a different vulnerability than CVE-2015-8703.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-3986 4.3
Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators f
28-11-2016 - 14:27 14-05-2015 - 10:59
CVE-2015-3301 4.0
Directory traversal vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote administrators to read arbitrary files via a .. (dot dot) in the tcp_box
28-11-2016 - 14:23 14-05-2015 - 10:59
CVE-2015-3300 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via th
28-11-2016 - 14:23 14-05-2015 - 10:59
CVE-2015-1366 4.3
Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.
28-11-2016 - 14:18 27-01-2015 - 15:04
CVE-2006-1252 7.5
Eval injection vulnerability in cal.php in Light Weight Calendar (LWC) 1.0 allows remote attackers to execute arbitrary PHP code via the date parameter to index.php.
18-11-2016 - 22:00 18-03-2006 - 20:02
CVE-2016-8869 7.5
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2016-8870 6.8
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Al
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2013-7043 8.3
Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Scientific Atlanta DPR2320R2 routers with software 2.0.2r1262-090417 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via
01-11-2016 - 14:22 10-12-2013 - 14:55
CVE-2005-3365 7.5
Multiple SQL injection vulnerabilities in DCP-Portal 6 and earlier allow remote attackers to execute arbitrary SQL commands, possibly requiring encoded characters, via (1) the name parameter in register.php, (2) the email parameter in lostpassword.ph
17-10-2016 - 23:34 30-10-2005 - 09:34
CVE-2005-2428 5.0
Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password ha
17-10-2016 - 23:27 03-08-2005 - 00:00
CVE-2005-2062 7.5
Multiple SQL injection vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to execute arbitrary SQL commands via the catid parameter to (1) default.asp or (2) buyersend.asp, (3) Administrator ID field in admin.asp, E-mail field in (4) adve
17-10-2016 - 23:24 29-06-2005 - 00:00
CVE-2004-1580 7.5
SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1553 7.5
SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp. NOTE: it was later reported that vector 1 affects aspWebAlbum
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1552 7.5
SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1423 7.5
Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP-Calendar before 0.10.1, as used in Commonwealth of Massachusetts Virtual Law Office (VLO) and other products, allow remote attackers to execute arbitrary PHP code via a URL in the
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2008-5308 7.5
The Simple Forum 3.1d module for LoveCMS 1.6.2 Final does not properly restrict access to administrator functions, which allows remote attackers to change the administrator password via a direct request to modules/simpleforum/admin/index.php.
11-10-2016 - 21:59 02-12-2008 - 07:00
CVE-2010-2685 7.5
siteadmin/adduser.php in Customer Paradigm PageDirector CMS does not properly restrict access, which allows remote attackers to bypass intended restrictions and add administrative users via a direct request.
06-10-2016 - 21:59 12-07-2010 - 09:27
CVE-2008-5619 10.0
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input tha
22-09-2016 - 21:59 16-12-2008 - 21:30
CVE-2013-3961 6.5
SQL injection vulnerability in edit_event.php in Simple PHP Agenda before 2.2.9 allows remote authenticated users to execute arbitrary SQL commands via the eventid parameter.
21-09-2016 - 10:25 11-03-2014 - 15:37
CVE-2009-5089 4.3
Directory traversal vulnerability in index.php in IdeaCart 0.02 and 0.02a allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter.
20-09-2016 - 00:00 12-09-2011 - 08:40
CVE-2011-5197 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Harvester Systems 2.3.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload PHP files
19-09-2016 - 23:56 23-09-2012 - 13:55
CVE-2011-5196 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Journal Systems 2.3.6 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload PHP files.
19-09-2016 - 23:56 23-09-2012 - 13:55
CVE-2011-5195 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Conference Systems 2.3.4 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload a PHP fi
19-09-2016 - 23:55 23-09-2012 - 13:55
CVE-2013-6976 6.8
Cross-site request forgery (CSRF) vulnerability in goform/Quick_setup on Cisco EPC3925 devices allows remote attackers to hijack the authentication of administrators for requests that change a password via the Password and PasswordReEnter parameters,
15-09-2016 - 15:23 19-12-2013 - 17:55
CVE-2013-7136 9.3
The UPC Ireland Cisco EPC 2425 router (aka Horizon Box) does not have a sufficiently large number of possible WPA-PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack.
09-09-2016 - 10:35 19-12-2013 - 17:55
CVE-2014-4034 7.5
SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.
06-09-2016 - 10:18 11-06-2014 - 10:55
CVE-2014-10021 7.5
Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to t
06-09-2016 - 09:10 13-01-2015 - 06:59
CVE-2012-4891 4.3
Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. NOTE: the provenance of this
06-09-2016 - 09:05 10-09-2012 - 18:55
CVE-2015-5399 3.5
Cross-site scripting (XSS) vulnerability in PHPVibe before 4.21 allows remote authenticated users to inject arbitrary web script or HTML via a comment.
29-08-2016 - 11:15 26-08-2016 - 16:59
CVE-2007-2430 7.8
shared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote attackers to create arbitrary PHP files in cache/ by placing file contents and directory traversal manipulations into a SessionUserLang cookie to public/code/index.php.
26-08-2016 - 21:59 01-05-2007 - 20:19
CVE-2016-6909 10.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9 and FortiSwitch before 3.4.3 allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER.
24-08-2016 - 16:27 24-08-2016 - 12:30
CVE-2007-2304 7.5
Multiple directory traversal vulnerabilities in Quick and Dirty Blog (QDBlog) 0.4, and possibly earlier, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter to categories.php and other unspeci
23-08-2016 - 21:59 26-04-2007 - 17:19
CVE-2009-1030 4.3
Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
22-08-2016 - 21:59 19-03-2009 - 20:30
CVE-2014-5370 7.5
Directory traversal vulnerability in the CFChart servlet (com.naryx.tagfusion.cfm.cfchartServlet) in New Atlanta BlueDragon before 7.1.1.18527 allows remote attackers to read or possibly delete arbitrary files via a .. (dot dot) in the QUERY_STRING t
18-08-2016 - 10:59 21-04-2015 - 11:59
CVE-2015-1875 7.5
SQL injection vulnerability in a2billing/customer/iridium_threed.php in Elastix 2.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the transactionID parameter.
03-08-2016 - 23:17 11-03-2015 - 10:59
CVE-2016-5304 4.9
Open redirect vulnerability in a report-routing component in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vecto
01-07-2016 - 19:13 30-06-2016 - 19:59
CVE-2016-3653 6.0
Multiple cross-site request forgery (CSRF) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to hijack the authentication of arbitrary users.
01-07-2016 - 19:11 30-06-2016 - 19:59
CVE-2016-3652 3.5
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
01-07-2016 - 19:11 30-06-2016 - 19:59
CVE-2016-3670 4.3
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.
20-06-2016 - 08:35 13-06-2016 - 10:59
CVE-2015-4420 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to
15-06-2016 - 09:22 18-06-2015 - 14:59
CVE-2014-8391 4.0
The Web interface in Sendio before 7.2.4 does not properly handle sessions, which allows remote authenticated users to obtain sensitive information from other users' sessions via a large number of requests.
27-05-2016 - 11:48 02-06-2015 - 10:59
CVE-2012-4901 4.3
Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php.
27-05-2016 - 11:30 20-05-2015 - 15:59
CVE-2016-2784 2.6
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a reques
26-05-2016 - 18:12 26-05-2016 - 10:59
CVE-2014-1683 6.8
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name,
25-05-2016 - 11:16 29-01-2014 - 13:55
CVE-2014-1610 6.0
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/med
25-05-2016 - 11:01 30-01-2014 - 18:55
CVE-2007-5992 7.5
SQL injection vulnerability in index.php in datecomm Social Networking Script (aka Myspace Clone Script) allows remote attackers to execute arbitrary SQL commands via the seid parameter in a viewcat s action on the forums page.
11-05-2016 - 12:06 15-11-2007 - 17:46
CVE-2016-0784 4.0
Directory traversal vulnerability in the Import/Export System Backups functionality in Apache OpenMeetings before 3.1.1 allows remote authenticated administrators to write to arbitrary files via a .. (dot dot) in a ZIP archive entry.
14-04-2016 - 18:33 11-04-2016 - 10:59
CVE-2015-8399 4.0
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
14-04-2016 - 13:33 11-04-2016 - 17:59
CVE-2015-8398 4.3
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
13-04-2016 - 19:29 11-04-2016 - 17:59
CVE-2015-6541 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a
11-04-2016 - 13:44 08-04-2016 - 10:59
CVE-2014-9727 10.0
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
06-04-2016 - 08:49 29-05-2015 - 11:59
CVE-2016-0793 5.0
Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF direct
04-04-2016 - 13:48 01-04-2016 - 15:59
CVE-2014-3704 7.5
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
31-03-2016 - 13:36 15-10-2014 - 20:55
CVE-2013-6023 7.8
Directory traversal vulnerability in the TVT TD-2308SS-B DVR with firmware 3.2.0.P-3520A-00 and earlier allows remote attackers to read arbitrary files via .. (dot dot) in the URI.
31-03-2016 - 13:31 02-11-2013 - 17:55
CVE-2015-8261 7.5
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.
08-01-2016 - 14:06 07-01-2016 - 21:59
CVE-2015-8368 6.0
ntopng (aka ntop) before 2.2 allows remote authenticated users to change the login context and gain privileges via the user cookie and username parameter to admin/password_reset.lua.
18-12-2015 - 13:43 17-12-2015 - 14:59
CVE-2015-6402 4.3
Cross-site scripting (XSS) vulnerability in the management interface on Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCux24935.
14-12-2015 - 22:40 13-12-2015 - 22:59
CVE-2015-6401 7.5
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
14-12-2015 - 22:40 13-12-2015 - 22:59
CVE-2014-5193 4.3
Cross-site scripting (XSS) vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the category parameter. NOTE: the url parameter vector is already covered by CVE-2014-5082.
04-12-2015 - 11:18 07-08-2014 - 07:13
CVE-2015-1494 4.3
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as d
27-11-2015 - 14:20 17-02-2015 - 10:59
CVE-2008-2566 4.3
Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the group parameter to (1) index.php or (2) the default URI.
27-11-2015 - 12:16 06-06-2008 - 14:32
CVE-2008-2565 7.5
Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php. NOTE: it was later reported that 4.0.x is also affected.
27-11-2015 - 12:16 06-06-2008 - 14:32
CVE-2015-7808 7.5
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/h
25-11-2015 - 15:23 24-11-2015 - 15:59
CVE-2008-4157 7.5
SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 1.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2007-3610. NOTE: it was later reported that 1.2.3 is also affected.
24-11-2015 - 13:07 22-09-2008 - 14:34
CVE-2015-2049 9.0
Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
24-11-2015 - 11:54 23-02-2015 - 12:59
CVE-2008-2335 4.3
Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party info
24-11-2015 - 11:45 19-05-2008 - 09:20
CVE-2015-1365 5.0
Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
23-11-2015 - 13:32 27-01-2015 - 15:04
CVE-2014-7176 6.5
SQL injection vulnerability in Enalean Tuleap before 7.5.99.4 allows remote authenticated users to execute arbitrary SQL commands via the lobal_txt parameter to plugins/docman.
20-11-2015 - 11:26 04-11-2014 - 10:55
CVE-2014-8690 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src para
19-11-2015 - 12:24 19-02-2015 - 10:59
CVE-2015-1518 7.5
SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
19-11-2015 - 11:55 11-02-2015 - 14:59
CVE-2014-5460 6.5
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-
16-11-2015 - 23:07 11-09-2014 - 11:55
CVE-2014-6037 7.5
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with ..
13-11-2015 - 12:53 26-10-2014 - 15:55
CVE-2014-5082 7.5
Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Sphider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.
04-11-2015 - 11:32 06-08-2014 - 14:55
CVE-2015-5285 5.0
CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came_from parameter to _admin/login.
30-10-2015 - 16:00 29-10-2015 - 16:59
CVE-2014-1695 4.3
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.
13-10-2015 - 12:35 28-02-2014 - 19:01
CVE-2014-2647 4.3
Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-10-2015 - 11:01 18-10-2014 - 21:55
CVE-2014-2579 7.6
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to inde
08-10-2015 - 10:50 25-04-2014 - 16:55
CVE-2015-7707 6.5
Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.
06-10-2015 - 14:13 05-10-2015 - 11:59
CVE-2014-4960 7.5
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid
05-10-2015 - 22:37 21-07-2014 - 10:55
CVE-2014-8555 5.0
Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the selection parameter.
05-10-2015 - 17:45 12-11-2014 - 11:55
CVE-2015-3203 7.5
Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the href
29-09-2015 - 15:25 28-09-2015 - 12:59
CVE-2014-3871 7.5
Multiple SQL injection vulnerabilities in register.php in Geodesic Solutions GeoCore MAX 7.3.3 (formerly GeoClassifieds and GeoAuctions) allow remote attackers to execute arbitrary SQL commands via the (1) c[password] or (2) c[username] parameter. N
29-09-2015 - 14:48 27-05-2014 - 09:55
CVE-2015-6009 7.5
Multiple SQL injection vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary SQL commands via (1) the where parameter to rss.php or (2) the sqlQuery parameter to search.php, a different issu
28-09-2015 - 20:52 27-09-2015 - 22:59
CVE-2015-6008 7.5
install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary commands via the adminPassword parameter, a different issue than CVE-2015-7381.
28-09-2015 - 20:51 27-09-2015 - 22:59
CVE-2015-6972 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName par
17-09-2015 - 21:54 16-09-2015 - 15:59
CVE-2015-3623 6.4
XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx.
17-09-2015 - 14:43 16-09-2015 - 14:59
CVE-2015-6965 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a f
17-09-2015 - 14:21 16-09-2015 - 10:59
CVE-2014-7280 4.3
Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Build #85 for Tenable Nessus 5.x allows remote web servers to inject arbitrary web script or HTML via the server header.
08-09-2015 - 14:20 21-10-2014 - 11:55
CVE-2014-5464 4.3
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
08-09-2015 - 14:20 08-09-2014 - 10:55
CVE-2015-6811 7.5
SQL injection vulnerability in the Sophos Cyberoam CR500iNG-XP firewall appliance with CyberoamOS 10.6.2 MR-1 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to login.xml.
04-09-2015 - 14:59 04-09-2015 - 11:59
CVE-2015-6810 3.5
Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_locatio
04-09-2015 - 14:59 04-09-2015 - 11:59
CVE-2014-9605 9.4
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) chara
04-09-2015 - 14:31 04-09-2015 - 11:59
CVE-2015-6809 4.3
Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter
04-09-2015 - 14:26 04-09-2015 - 11:59
CVE-2014-4645 4.3
Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DSL-2760U-E1 allows remote attackers to inject arbitrary web script or HTML via a hostname.
02-09-2015 - 13:16 25-06-2014 - 16:55
CVE-2006-3823 5.1
SQL injection vulnerability in index.php in GeodesicSolutions (1) GeoAuctions Premier 2.0.3 and (2) GeoClassifieds Basic 2.0.3 allows remote attackers to execute arbitrary SQL commands via the b parameter.
01-09-2015 - 12:59 25-07-2006 - 09:22
CVE-2014-3878 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the web client interface in Ipswitch IMail Server 12.3 and 12.4, possibly before 12.4.1.15, allow remote attackers to inject arbitrary web script or HTML via (1) the Name field in an add new cont
31-08-2015 - 14:28 05-06-2014 - 13:55
CVE-2014-3544 3.5
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via th
31-08-2015 - 14:09 29-07-2014 - 07:10
CVE-2014-4710 4.3
Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.
28-08-2015 - 12:35 29-07-2014 - 10:55
CVE-2015-6519 7.5
SQL injection vulnerability in Arab Portal 3 allows remote attackers to execute arbitrary SQL commands via the showemail parameter in a signup action to members.php.
20-08-2015 - 13:38 18-08-2015 - 14:00
CVE-2015-6512 5.0
SQL injection vulnerability in the get_messages function in server/plugins/chatroom/chatroom.php in FreiChat 9.6 allows remote attackers to execute arbitrary SQL commands via the time parameter to server/freichat.php.
19-08-2015 - 19:10 18-08-2015 - 11:59
CVE-2015-6516 6.5
SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php.
19-08-2015 - 14:51 18-08-2015 - 11:59
CVE-2015-4666 5.0
Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.3.0 and 2.4.3.0 allows remote attackers to read arbitrary files via a ....// (quadruple dot double slash) in the logFile parameter.
13-08-2015 - 14:29 13-08-2015 - 10:59
CVE-2015-4665 4.3
Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.3.0 and 2.4.3.0 allows remote attackers to inject arbitrary web script or HTML via the fileName parameter.
13-08-2015 - 14:25 13-08-2015 - 10:59
CVE-2014-2043 6.5
SQL injection vulnerability in Resources/System/Templates/Data.aspx in Procentia IntelliPen before 1.1.18.1658 allows remote authenticated users to execute arbitrary SQL commands via the value parameter.
13-08-2015 - 14:04 13-03-2014 - 10:55
CVE-2014-0793 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website or (2) latitude parameter in a comment to
13-08-2015 - 13:49 30-01-2014 - 13:55
CVE-2015-4616 5.0
Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter.
11-08-2015 - 10:46 08-07-2015 - 12:59
CVE-2015-4614 7.5
Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-
11-08-2015 - 10:46 08-07-2015 - 12:59
CVE-2014-8954 4.3
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.ph
06-08-2015 - 12:45 17-11-2014 - 11:59
CVE-2014-2009 5.0
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
05-08-2015 - 12:34 12-09-2014 - 10:55
CVE-2014-2008 7.5
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.
05-08-2015 - 12:34 12-09-2014 - 10:55
CVE-2014-3740 3.5
Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.
31-07-2015 - 21:41 11-09-2014 - 14:55
CVE-2014-3738 4.3
Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the title of a device.
31-07-2015 - 21:40 20-05-2014 - 10:55
CVE-2014-3247 4.3
Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the desc parameter in an Add project (addpro) action to admin.php.
31-07-2015 - 21:38 15-05-2014 - 10:55
CVE-2013-2639 4.3
Cross-site scripting (XSS) vulnerability in CTERA Cloud Storage OS before 3.2.29.0, 3.2.42.0, and earlier allows remote attackers to inject arbitrary web script or HTML via the description in a project folder.
30-07-2015 - 10:43 11-02-2014 - 12:55
CVE-2014-1843 5.0
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to obtain the property information of an arbitrary home folder via a Properties action with a .. (dot dot) in the src parameter
29-07-2015 - 12:19 29-04-2014 - 06:37
CVE-2014-1842 5.0
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to list all usernames via a Go action with a .. (dot dot) in the search-bar value.
29-07-2015 - 12:18 29-04-2014 - 06:37
CVE-2014-1841 5.0
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to copy an arbitrary user's home folder via a Move action with a .. (dot dot) in the src parameter.
29-07-2015 - 12:17 29-04-2014 - 06:37
CVE-2015-2183 7.5
Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an
28-07-2015 - 11:05 10-03-2015 - 10:59
CVE-2013-6872 6.5
SQL injection vulnerability in managetimetracker.php in Collabtive before 1.2 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a projectpdf action.
28-07-2015 - 10:49 21-01-2014 - 10:17
CVE-2008-6844 7.5
The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, Con
27-07-2015 - 14:36 02-07-2009 - 06:30
CVE-2013-6058 7.5
SQL injection vulnerability in appRain CMF 3.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to blog-by-cat/.
27-07-2015 - 12:11 14-11-2013 - 15:55
CVE-2014-0620 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to inject arbitrary web script or HTML via the (1) ADDNewDomain parameter to parental/website-filters.asp or (2) VmTracerou
24-07-2015 - 14:38 08-01-2014 - 10:30
CVE-2014-0780 7.5
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
24-07-2015 - 14:35 25-04-2014 - 01:12
CVE-2015-5530 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/crea
21-07-2015 - 07:26 16-07-2015 - 11:59
CVE-2015-5529 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to das
21-07-2015 - 07:25 16-07-2015 - 11:59
CVE-2015-5520 4.3
Cross-site scripting (XSS) vulnerability in the Users module in Orchard 1.7.3 through 1.8.2 and 1.9.x before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the username when creating a new user account, which is not properly
17-07-2015 - 18:32 14-07-2015 - 12:59
CVE-2015-5150 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportH
01-07-2015 - 11:43 30-06-2015 - 10:59
CVE-2015-5148 7.5
SQL injection vulnerability in LivelyCart 1.2.0 allows remote attackers to execute arbitrary SQL commands via the search_query parameter to product/search.
01-07-2015 - 11:36 30-06-2015 - 10:59
CVE-2014-9734 5.0
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php
01-07-2015 - 11:12 30-06-2015 - 10:59
CVE-2015-4018 6.5
SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the link_ids[] parameter in an Update action in t
25-06-2015 - 12:22 21-05-2015 - 16:59
CVE-2015-3337 4.3
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
25-06-2015 - 12:07 01-05-2015 - 11:59
CVE-2015-3325 7.5
SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI.
25-06-2015 - 11:50 15-05-2015 - 14:59
CVE-2015-4658 7.5
Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm Clone Script 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) usr or (2) pwd parameter.
19-06-2015 - 10:37 18-06-2015 - 14:59
CVE-2014-0999 5.0
Sendio before 7.2.4 includes the session identifier in URLs in emails, which allows remote attackers to obtain sensitive information and hijack sessions by reading the jsessionid parameter in the Referrer HTTP header.
03-06-2015 - 08:25 02-06-2015 - 10:59
CVE-2015-4066 6.5
Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) show_artist_id or (2) show_venue_id parameter in an add acti
02-06-2015 - 10:08 27-05-2015 - 14:59
CVE-2015-4065 3.5
Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/po
28-05-2015 - 10:57 27-05-2015 - 14:59
CVE-2015-4064 6.5
SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-ad
28-05-2015 - 10:56 27-05-2015 - 14:59
CVE-2015-4063 3.5
Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-a
28-05-2015 - 10:55 27-05-2015 - 14:59
CVE-2015-4062 6.5
SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php.
28-05-2015 - 10:54 27-05-2015 - 14:59
CVE-2012-4902 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php
21-05-2015 - 11:32 20-05-2015 - 15:59
CVE-2012-5849 7.5
Multiple SQL injection vulnerabilities in ClipBucket 2.6 Revision 738 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) uid parameter in an add_friend action to ajax.php; id parameter in a (2) share_object, (3) add_to_f
15-05-2015 - 09:27 14-05-2015 - 10:59
CVE-2014-9258 6.5
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
17-04-2015 - 21:59 19-12-2014 - 10:59
CVE-2014-9445 7.5
SQL injection vulnerability in incl/create.inc.php in Installatron GQ File Manager 0.2.5 allows remote attackers to execute arbitrary SQL commands via the create parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) atta
06-04-2015 - 12:55 02-01-2015 - 15:59
CVE-2014-100003 7.5
SQL injection vulnerability in includes/ym-download_functions.include.php in the Code Futures YourMembers plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ym_download_id parameter to the default URI.
24-03-2015 - 16:49 13-01-2015 - 06:59
CVE-2014-9261 5.0
The sanitize function in Codoforum 2.5.1 does not properly implement filtering for directory traversal sequences, which allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to index.php.
24-03-2015 - 10:45 23-03-2015 - 12:59
CVE-2015-2564 6.5
SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to users-edit.php.
23-03-2015 - 09:30 20-03-2015 - 10:59
CVE-2015-2208 7.5
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.
12-03-2015 - 12:42 12-03-2015 - 10:59
CVE-2015-2182 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. NOTE: The sea
11-03-2015 - 15:38 11-03-2015 - 10:59
CVE-2014-9566 7.5
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Net
11-03-2015 - 15:19 10-03-2015 - 10:59
CVE-2010-5322 4.3
Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php.
11-03-2015 - 11:05 11-03-2015 - 10:59
CVE-2015-2184 5.0
ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function.
11-03-2015 - 10:55 10-03-2015 - 10:59
CVE-2015-2199 6.5
Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-a
04-03-2015 - 14:14 03-03-2015 - 14:59
CVE-2015-2198 4.3
Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly hand
04-03-2015 - 14:13 03-03-2015 - 14:59
CVE-2015-2196 7.5
SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.
04-03-2015 - 14:11 03-03-2015 - 14:59
CVE-2015-1587 7.5
Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a reques
20-02-2015 - 20:33 19-02-2015 - 10:59
CVE-2014-9101 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (X
18-02-2015 - 13:53 26-11-2014 - 10:59
CVE-2014-8653 4.3
Cross-site scripting (XSS) vulnerability in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to inject arbitrary web script or HTML via the userData cookie.
18-02-2015 - 13:04 06-11-2014 - 10:55
CVE-2014-8498 6.5
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL comman
18-02-2015 - 13:02 17-11-2014 - 11:59
CVE-2015-1577 6.4
Directory traversal vulnerability in u5admin/deletefile.php in u5CMS before 3.9.4 allows remote attackers to write to arbitrary files via a (1) .. (dot dot) or (2) full pathname in the f parameter.
12-02-2015 - 12:53 11-02-2015 - 14:59
CVE-2015-1575 4.3
Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php;
12-02-2015 - 12:51 11-02-2015 - 14:59
CVE-2015-1479 6.5
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
06-02-2015 - 15:40 04-02-2015 - 11:59
CVE-2014-8272 5.0
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-f
05-02-2015 - 15:13 19-12-2014 - 06:59
CVE-2015-1482 5.0
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/.
05-02-2015 - 12:26 04-02-2015 - 13:59
CVE-2015-1481 6.5
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization administrators to gain privileges by creating a superuser account.
05-02-2015 - 11:09 04-02-2015 - 13:59
CVE-2015-1478 4.3
Cross-site scripting (XSS) vulnerability in the CMSJunkie J-ClassifiedsManager component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the view parameter to /classifieds.
04-02-2015 - 14:54 04-02-2015 - 11:59
CVE-2015-1477 7.5
SQL injection vulnerability in the CMSJunkie J-ClassifiedsManager component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a viewad task to classifieds/offerring-ads.
04-02-2015 - 14:54 04-02-2015 - 11:59
CVE-2015-1480 4.0
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/
04-02-2015 - 14:43 04-02-2015 - 11:59
CVE-2015-1476 7.5
Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2) username or (3) password parameter to __admin/index.php.
04-02-2015 - 14:40 04-02-2015 - 11:59
CVE-2014-9331 6.8
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to S
04-02-2015 - 12:29 04-02-2015 - 11:59
CVE-2015-1428 7.5
Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands vi
04-02-2015 - 11:59 03-02-2015 - 11:59
CVE-2015-1422 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak
02-02-2015 - 11:52 29-01-2015 - 10:59
CVE-2015-1424 6.8
Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php.
30-01-2015 - 14:05 29-01-2015 - 10:59
CVE-2015-1423 6.5
Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php.
30-01-2015 - 14:04 29-01-2015 - 10:59
CVE-2015-1368 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to credentials/, (2) inventories/, (3) projects/, or (4) u
28-01-2015 - 14:01 27-01-2015 - 15:04
CVE-2015-1376 4.0
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.
28-01-2015 - 12:05 28-01-2015 - 06:59
CVE-2015-1375 7.5
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
28-01-2015 - 11:50 28-01-2015 - 06:59
CVE-2015-1364 7.5
SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.
28-01-2015 - 10:53 27-01-2015 - 15:04
CVE-2014-6242 6.5
Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp
26-01-2015 - 13:53 02-10-2014 - 10:55
CVE-2015-1028 3.5
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2730B router (rev C1) with firmware GE_1.01 allow remote authenticated users to inject arbitrary web script or HTML via the (1) domainname parameter to dnsProxy.cmd (DNS Proxy Configur
26-01-2015 - 07:55 21-01-2015 - 10:28
CVE-2015-0554 9.4
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (devi
23-01-2015 - 15:43 21-01-2015 - 13:59
CVE-2015-1060 5.8
Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
20-01-2015 - 09:20 16-01-2015 - 10:59
CVE-2015-1059 6.5
Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/u
20-01-2015 - 09:02 16-01-2015 - 10:59
CVE-2015-1058 4.3
Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/
20-01-2015 - 09:01 16-01-2015 - 10:59
CVE-2015-1057 4.3
Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.
20-01-2015 - 09:00 16-01-2015 - 10:59
CVE-2015-1054 3.5
Cross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game.
20-01-2015 - 08:58 16-01-2015 - 10:59
CVE-2014-9308 6.5
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an
16-01-2015 - 11:29 15-01-2015 - 10:59
CVE-2014-10033 6.5
SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.
14-01-2015 - 16:50 13-01-2015 - 10:59
CVE-2014-10034 6.5
Multiple SQL injection vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to execute arbitrary SQL commands via the (1) iDisplayLength or (2) iDisplayStart parameter to (a) comments_paginate.php or (b) stores_pagi
14-01-2015 - 16:50 13-01-2015 - 10:59
CVE-2014-10035 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to inject arbitrary web script or HTML via the (1) sEcho parameter to comments_paginate.php or (2) stores_paginate.php or the
14-01-2015 - 16:42 13-01-2015 - 10:59
CVE-2014-100011 7.5
SQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote attackers to execute arbitrary SQL commands via the c parameter.
14-01-2015 - 16:38 13-01-2015 - 10:59
CVE-2014-10032 6.5
SQL injection vulnerability in news_popup.php in Taboada MacroNews 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
14-01-2015 - 16:37 13-01-2015 - 10:59
CVE-2014-10038 7.5
SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.
14-01-2015 - 15:11 13-01-2015 - 10:59
CVE-2014-10037 7.5
Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.
14-01-2015 - 15:10 13-01-2015 - 10:59
CVE-2014-100020 7.5
SQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.03.057 allows remote attackers to execute arbitrary SQL commands via the PreviewNum parameter. NOTE: the CatID parameter is already covered by CVE-2008-0685.
14-01-2015 - 14:50 13-01-2015 - 10:59
CVE-2014-100017 4.3
Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.
14-01-2015 - 14:48 13-01-2015 - 10:59
CVE-2014-100013 4.3
Multiple cross-site scripting (XSS) vulnerabilities in clientResponse 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Subject or (2) Message field.
14-01-2015 - 14:45 13-01-2015 - 10:59
CVE-2014-100012 7.5
SQL injection vulnerability in /app in Sendy 1.1.8.4 allows remote attackers to execute arbitrary SQL commands via the i parameter.
14-01-2015 - 14:45 13-01-2015 - 10:59
CVE-2014-10023 7.5
Multiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.
13-01-2015 - 19:29 13-01-2015 - 06:59
CVE-2014-10020 7.5
SQL injection vulnerability in login.php in Simple e-document 1.31 allows remote attackers to execute arbitrary SQL commands via the username parameter.
13-01-2015 - 19:27 13-01-2015 - 06:59
CVE-2014-10019 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in webconfig/wlan/country.html/country in the Teracom T2-B-Gawv1.4U10Y-BI modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the SSID or
13-01-2015 - 19:24 13-01-2015 - 06:59
CVE-2014-10018 4.3
Cross-site scripting (XSS) vulnerability in webconfig/wlan/country.html/country in the Teracom T2-B-Gawv1.4U10Y-BI modem allows remote attackers to inject arbitrary web script or HTML via the essid parameter.
13-01-2015 - 19:24 13-01-2015 - 06:59
CVE-2014-10013 7.5
SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.
13-01-2015 - 19:15 13-01-2015 - 06:59
CVE-2014-10010 5.0
Directory traversal vulnerability in PHPJabbers Appointment Scheduler 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter in a pjActionDownload action to the pjBackup controller.
13-01-2015 - 19:03 13-01-2015 - 06:59
CVE-2014-10001 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Appointment Scheduler 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the i18n[1][
13-01-2015 - 18:02 13-01-2015 - 06:59
CVE-2014-100002 5.0
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
13-01-2015 - 15:48 13-01-2015 - 06:59
CVE-2014-8810 6.5
SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter in a getMailMessage action.
12-01-2015 - 02:12 24-12-2014 - 13:59
CVE-2014-4644 7.5
SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter.
12-01-2015 - 02:10 25-06-2014 - 16:55
CVE-2011-5284 6.8
Cross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the authentication of administrators for requests that p
12-01-2015 - 02:04 31-12-2014 - 17:59
CVE-2014-9582 4.3
Cross-site scripting (XSS) vulnerability in components/filemanager/dialog.php in Codiad 2.4.3 allows remote attackers to inject arbitrary web script or HTML via the short_name parameter in a rename action. NOTE: this issue was originally incorrectly
10-01-2015 - 21:59 08-01-2015 - 15:59
CVE-2014-9581 5.0
Directory traversal vulnerability in components/filemanager/download.php in Codiad 2.4.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. NOTE: this issue was originally incorrectly mapped to CVE-2014-1137; s
10-01-2015 - 21:59 08-01-2015 - 15:59
CVE-2014-9580 4.3
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) r561 allows remote attackers to inject arbitrary web script or HTML via the Description field in a file upload. NOTE: this issue was originally incorrectly mapped to CVE-2014-11
10-01-2015 - 21:59 08-01-2015 - 14:59
CVE-2014-9440 7.5
SQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the category parameter.
10-01-2015 - 21:59 02-01-2015 - 14:59
CVE-2011-3713 5.0
cFTP r80 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by templates/session_check.php and certain other files.
09-01-2015 - 21:59 23-09-2011 - 19:55
CVE-2011-5283 4.3
Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action
09-01-2015 - 18:45 31-12-2014 - 17:59
CVE-2014-9567 7.5
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to th
08-01-2015 - 14:19 07-01-2015 - 13:59
CVE-2014-2223 7.5
Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then acce
08-01-2015 - 08:41 11-09-2014 - 10:16
CVE-2014-9528 7.5
SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter
06-01-2015 - 14:58 06-01-2015 - 10:59
CVE-2014-9522 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light 6.0.0 (Rev 4701) allow remote attackers to inject arbitrary web script or HTML via the (1) author field to guestbook.php or (2) username field to account.php.
06-01-2015 - 11:55 05-01-2015 - 15:59
CVE-2014-9516 4.3
Cross-site scripting (XSS) vulnerability in Social Microblogging PRO 1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI, related to the "Web Site" input in the Profile section.
06-01-2015 - 11:48 05-01-2015 - 15:59
CVE-2014-2598 6.8
Cross-site request forgery (CSRF) vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via
06-01-2015 - 11:42 05-01-2015 - 15:59
CVE-2014-9457 6.5
SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php.
05-01-2015 - 18:41 02-01-2015 - 15:59
CVE-2014-9439 4.3
Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp.
05-01-2015 - 16:14 02-01-2015 - 14:59
CVE-2014-9436 5.0
Absolute path traversal vulnerability in SysAid On-Premise before 14.4.2 allows remote attackers to read arbitrary files via a \\\\ (four backslashes) in the fileName parameter to getRdsLogFile.
05-01-2015 - 16:12 02-01-2015 - 14:59
CVE-2012-1415 6.8
Cross-site request forgery (CSRF) vulnerability in lib/logout.php in DFLabs PTK 1.0.5 and earlier allows remote attackers to hijack the authentication of administrators or investigators for requests that trigger a logout.
29-12-2014 - 11:31 27-12-2014 - 21:59
CVE-2012-1203 6.8
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.
29-12-2014 - 11:20 27-12-2014 - 19:59
CVE-2014-9348 7.5
SQL injection vulnerability in the formulaireRobot function in admin/robots.lib.php in RobotStats 1.0 allows remote attackers to execute arbitrary SQL commands via the robot parameter to admin/robots.php.
23-12-2014 - 12:10 08-12-2014 - 11:59
CVE-2014-8493 5.0
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.
16-12-2014 - 22:00 20-11-2014 - 12:50
CVE-2014-9347 7.5
SQL injection vulnerability in dosearch.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the words_exact parameter.
16-12-2014 - 11:37 08-12-2014 - 11:59
CVE-2014-9345 7.5
SQL injection vulnerability in Guruperl.net Advertise With Pleasure! Professional (aka AWP PRO) 6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a list_zone action to cgi/client.cgi.
09-12-2014 - 16:49 08-12-2014 - 11:59
CVE-2014-9305 6.5
SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_p
09-12-2014 - 13:21 08-12-2014 - 11:59
CVE-2014-9178 7.5
Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the
08-12-2014 - 10:25 02-12-2014 - 11:59
CVE-2014-9144 7.5
Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter).
05-12-2014 - 20:41 05-12-2014 - 10:59
CVE-2014-9143 4.3
Open redirect vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the failrefer parameter.
05-12-2014 - 15:00 05-12-2014 - 10:59
CVE-2014-9142 4.3
Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter.
05-12-2014 - 14:59 05-12-2014 - 10:59
CVE-2014-8800 4.3
Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_up
05-12-2014 - 14:17 05-12-2014 - 10:59
CVE-2014-8728 7.5
SQL injection vulnerability in the login page (login/login) in Subex ROC Fraud Management (aka Fraud Management System and FMS) 7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ranger_user[name] parameter.
05-12-2014 - 10:50 02-12-2014 - 11:59
CVE-2014-9173 7.5
SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.
03-12-2014 - 15:00 02-12-2014 - 11:59
CVE-2014-9175 7.5
SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.
03-12-2014 - 13:42 02-12-2014 - 11:59
CVE-2014-8801 5.0
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax
28-11-2014 - 14:13 28-11-2014 - 10:59
CVE-2014-8799 5.0
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
28-11-2014 - 14:08 28-11-2014 - 10:59
CVE-2014-8469 4.3
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.
24-11-2014 - 10:31 21-11-2014 - 10:59
CVE-2014-8681 7.5
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issue
24-11-2014 - 10:16 21-11-2014 - 10:59
CVE-2014-8682 7.5
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in
24-11-2014 - 10:15 21-11-2014 - 10:59
CVE-2014-9005 7.5
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via the (1) country, (2) gender1, or ((3) gender2 parameter in a search action to index.php.
20-11-2014 - 10:09 20-11-2014 - 08:55
CVE-2014-9004 4.3
Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php.
20-11-2014 - 10:07 20-11-2014 - 08:55
CVE-2014-8997 7.5
Unrestricted file upload vulnerability in the Photo functionality in DigitalVidhya Digi Online Examination System 2.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct r
20-11-2014 - 09:55 20-11-2014 - 08:55
CVE-2012-2588 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.
18-11-2014 - 19:53 19-09-2014 - 10:55
CVE-2012-1669 4.3
Directory traversal vulnerability in index.php in phpMoneyBooks before 1.0.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
18-11-2014 - 07:52 17-11-2014 - 17:59
CVE-2014-8949 6.0
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to allow remote
17-11-2014 - 21:04 16-11-2014 - 06:59
CVE-2014-8953 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scriptlerim Who's Who script allow remote attackers to hijack the authentication of administrators or requests that (1) add an admin account via a request to filepath/yonetim/plugin/ad
17-11-2014 - 17:57 17-11-2014 - 11:59
CVE-2014-8596 7.5
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/adm
17-11-2014 - 17:42 17-11-2014 - 11:59
CVE-2014-8499 6.5
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH
17-11-2014 - 17:26 17-11-2014 - 11:59
CVE-2014-8948 6.8
Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace param
17-11-2014 - 11:30 16-11-2014 - 06:59
CVE-2014-8770 9.0
Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file t
14-11-2014 - 10:27 13-11-2014 - 16:32
CVE-2014-5519 7.5
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party informatio
13-11-2014 - 17:51 11-09-2014 - 10:16
CVE-2014-8586 7.5
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter.
10-11-2014 - 11:16 04-11-2014 - 10:55
CVE-2014-8657 5.0
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to cause a denial of service (disconnect all wifi clients) via a request to wirelessChannelStatus.html.
06-11-2014 - 14:24 06-11-2014 - 10:55
CVE-2014-8656 10.0
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the admin account and (2) compalbn for the root account, which makes it easier for remote attacke
06-11-2014 - 14:20 06-11-2014 - 10:55
CVE-2014-8655 5.0
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to bypass authentication and obtain sensitive information via an (a) admin or a (b) root value in the userData coo
06-11-2014 - 14:12 06-11-2014 - 10:55
CVE-2014-8654 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway hardware 1.0 with firmware CH6640-3.5.11.7-NOSH allow remote attackers to hijack the authentication of administrators f
06-11-2014 - 14:05 06-11-2014 - 10:55
CVE-2013-7057 6.8
Cross-site request forgery (CSRF) vulnerability in Axway SecureTransport 5.1 SP2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that upload arbitrary files via a crafted request to api/v1.0/files/.
05-11-2014 - 08:38 04-11-2014 - 10:55
CVE-2014-4311 5.0
Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allows attackers to obtain the (1) Database Connection and (2) E-mail Connection passwords by reading HTML source code of the database connection and email settings page.
04-11-2014 - 22:50 03-11-2014 - 21:55
CVE-2014-8577 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) dat
03-11-2014 - 20:09 31-10-2014 - 10:55
CVE-2013-3304 5.0
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.
31-10-2014 - 15:04 30-10-2014 - 10:55
CVE-2014-5520 7.5
SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remote attackers to execute arbitrary SQL commands via the user_id parameter to plugins/webform/new-form.php, which is not properly handled by plugins/useradmin/fingeruser.php.
30-10-2014 - 21:11 26-10-2014 - 16:55
CVE-2014-5275 6.5
Multiple SQL injection vulnerabilities in includes/functions.php in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) password, (2) email, or (3) id parameter.
24-10-2014 - 20:22 20-10-2014 - 12:55
CVE-2014-2531 6.5
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search a
24-10-2014 - 14:02 21-10-2014 - 12:55
CVE-2012-5242 6.8
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.
24-10-2014 - 13:57 21-10-2014 - 10:55
CVE-2012-5243 5.0
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.
24-10-2014 - 13:26 21-10-2014 - 10:55
CVE-2014-8380 4.3
Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regres
24-10-2014 - 09:08 21-10-2014 - 11:55
CVE-2014-7281 6.8
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/
24-10-2014 - 09:02 23-10-2014 - 10:55
CVE-2014-5276 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php.
22-10-2014 - 21:16 20-10-2014 - 12:55
CVE-2012-5244 7.5
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to fu
22-10-2014 - 15:30 20-10-2014 - 10:55
CVE-2014-6312 4.3
Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site sc
22-10-2014 - 13:33 15-10-2014 - 10:55
CVE-2014-8295 7.5
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
21-10-2014 - 21:40 15-10-2014 - 10:55
CVE-2014-2880 5.8
Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the
17-10-2014 - 03:12 17-04-2014 - 10:55
CVE-2014-4312 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to "Order to
15-10-2014 - 12:55 10-10-2014 - 10:55
CVE-2014-7226 7.5
The file comment feature in Rejetto HTTP File Server (hfs) 2.3c and earlier allows remote attackers to execute arbitrary code by uploading a file with certain invalid UTF-8 byte sequences that are interpreted as executable macro symbols.
10-10-2014 - 15:59 09-10-2014 - 21:55
CVE-2014-5300 5.0
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.
09-10-2014 - 13:48 08-10-2014 - 15:55
CVE-2014-5308 9.0
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
09-10-2014 - 08:55 08-10-2014 - 13:55
CVE-2014-6389 7.5
backup.php in PHPCompta/NOALYSS before 6.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the d parameter.
07-10-2014 - 21:47 06-10-2014 - 19:55
CVE-2014-6607 7.5
M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability tha
07-10-2014 - 19:18 06-10-2014 - 19:55
CVE-2014-6409 6.8
Cross-site request forgery (CSRF) vulnerability in M/Monit 3.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that change user passwords via the fullname and password parameters to /admin/users/updat
07-10-2014 - 19:17 06-10-2014 - 19:55
CVE-2014-2044 7.5
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alte
07-10-2014 - 19:07 06-10-2014 - 19:55
CVE-2014-6619 4.3
Multiple cross-site scripting (XSS) vulnerabilities in register-exec.php in Restaurant Script (PizzaInn_Project) 1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fname, (2) lname, or (3) login parameter.
01-10-2014 - 15:40 30-09-2014 - 12:55
CVE-2013-2586 4.3
XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method.
30-09-2014 - 14:07 29-09-2014 - 18:55
CVE-2012-5700 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox
24-09-2014 - 11:41 22-09-2014 - 11:55
CVE-2012-6658 4.3
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT
18-09-2014 - 11:33 17-09-2014 - 11:55
CVE-2012-2956 6.5
SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is f
18-09-2014 - 11:32 17-09-2014 - 11:55
CVE-2012-2583 4.3
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.
18-09-2014 - 11:02 17-09-2014 - 10:55
CVE-2012-1417 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.
17-09-2014 - 15:10 17-09-2014 - 10:55
CVE-2014-6043 6.5
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do.
12-09-2014 - 11:03 11-09-2014 - 11:55
CVE-2014-6070 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
11-09-2014 - 14:12 11-09-2014 - 10:16
CVE-2012-4240 6.5
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.
11-09-2014 - 12:52 11-09-2014 - 10:16
CVE-2012-0984 4.3
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target par
11-09-2014 - 12:46 11-09-2014 - 10:16
CVE-2014-5377 5.0
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
08-09-2014 - 10:47 04-09-2014 - 13:55
CVE-2014-5465 5.0
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
03-09-2014 - 16:15 03-09-2014 - 15:55
CVE-2014-5521 6.5
plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter.
03-09-2014 - 10:15 02-09-2014 - 10:55
CVE-2012-1503 4.3
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
02-09-2014 - 10:42 29-08-2014 - 09:55
CVE-2014-5246 10.0
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain administrator access by setting the admin:language cookie to zh-cn.
27-08-2014 - 20:03 22-08-2014 - 10:55
CVE-2014-5115 5.0
Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php.
27-08-2014 - 01:37 29-07-2014 - 10:55
CVE-2014-5347 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attack
20-08-2014 - 13:20 19-08-2014 - 15:55
CVE-2012-5683 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in ZPanel 10.0.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create new FTP users via a CreateFTP action in the ftp_management modu
14-08-2014 - 14:23 14-08-2014 - 10:55
CVE-2012-5684 4.3
Cross-site scripting (XSS) vulnerability in ZPanel 10.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the inFullname parameter in an UpdateAccountSettings action in the my_account module to zpanel/.
14-08-2014 - 14:22 14-08-2014 - 10:55
CVE-2012-5685 7.5
SQL injection vulnerability in ZPanel 10.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the inEmailAddress parameter in an UpdateClient action in the manage_clients module to the default URI.
14-08-2014 - 14:13 14-08-2014 - 10:55
CVE-2011-2944 7.5
SQL injection vulnerability in login.php in MegaLab The Uploader before 2.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter.
13-08-2014 - 14:12 12-08-2014 - 16:55
CVE-2014-1204 7.5
SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8.1.x before 8.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be exploited by unauthenticated remote attackers if t
11-08-2014 - 13:21 31-01-2014 - 10:07
CVE-2014-5194 6.5
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
07-08-2014 - 10:30 07-08-2014 - 07:13
CVE-2014-5192 7.5
SQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to execute arbitrary SQL commands via the filter parameter.
07-08-2014 - 10:28 07-08-2014 - 07:13
CVE-2013-5757 4.0
Absolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a full pathname in the dumpConfigFile function in the command parameter to cgi-bin/cgiServer.exx.
04-08-2014 - 10:10 03-08-2014 - 14:55
CVE-2013-5756 4.0
Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to cgi-bin/cgiServer.exx.
04-08-2014 - 10:08 03-08-2014 - 14:55
CVE-2014-5100 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cro
28-07-2014 - 11:55 25-07-2014 - 15:55
CVE-2012-6506 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web Shop plugin 2.4.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in zing.inc.php or (2) notes parameter in fws/pages-front/
24-07-2014 - 00:46 23-01-2013 - 20:55
CVE-2014-4155 6.8
Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to Forms/to
18-07-2014 - 01:24 19-06-2014 - 10:55
CVE-2014-4162 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to
17-07-2014 - 01:07 16-06-2014 - 14:55
CVE-2014-4154 5.0
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js.
16-07-2014 - 13:49 16-07-2014 - 10:19
CVE-2014-4018 7.8
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors.
16-07-2014 - 13:44 16-07-2014 - 10:19
CVE-2014-4663 6.8
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
15-07-2014 - 15:25 15-07-2014 - 10:55
CVE-2014-3418 10.0
config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter.
15-07-2014 - 14:37 15-07-2014 - 10:55
CVE-2013-6117 7.5
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.
14-07-2014 - 09:33 11-07-2014 - 15:55
CVE-2014-4718 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CMS before 3.3-3 allow remote attackers to hijack the authentication of administrators for requests that (1) add Super users via a request to admin/user_create.php or conduct cross-s
07-07-2014 - 10:10 03-07-2014 - 10:55
CVE-2014-4716 6.8
Cross-site request forgery (CSRF) vulnerability in Thomson TWG87OUIR allows remote attackers to hijack the authentication of unspecified victims for requests that change passwords via the Password and PasswordReEnter parameters to goform/RgSecurity.
07-07-2014 - 09:57 03-07-2014 - 10:55
CVE-2014-3842 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) decrypt or (2) encrypt parameter.
27-06-2014 - 12:56 22-05-2014 - 11:13
CVE-2013-1668 8.5
The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.
27-06-2014 - 12:35 23-05-2014 - 10:55
CVE-2012-2591 4.3
Multiple cross-site scripting (XSS) vulnerabilities in EmailArchitect Email Server 10.0 and 10.0.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) From or (2) Date field in an email.
23-06-2014 - 10:37 20-06-2014 - 10:55
CVE-2012-2580 4.3
Cross-site scripting (XSS) vulnerability in the Postie plugin 1.4.3, and possibly before 1.5.15, for WordPress allows remote attackers to inject arbitrary web script or HTML via the From field of an email.
23-06-2014 - 10:32 20-06-2014 - 10:55
CVE-2012-2579 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the WP SimpleMail plugin 1.0.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) To, (2) From, (3) Date, or (4) Subject field of an email.
23-06-2014 - 10:22 20-06-2014 - 10:55
CVE-2014-3778 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in goform/RgDdns in ARRIS (formerly Motorola) SBG901 SURFboard Wireless Cable Modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the dns
20-06-2014 - 10:44 19-06-2014 - 10:55
CVE-2012-2572 4.3
Cross-site scripting (XSS) vulnerability in the ThreeWP Email Reflector plugin before 1.16 for WordPress allows remote attackers to inject arbitrary web script or HTML via the Subject of an email.
20-06-2014 - 10:24 19-06-2014 - 10:55
CVE-2012-2569 4.3
Cross-site scripting (XSS) vulnerability in Synametrics Technologies Xeams 4.4 Build 5720 allows remote attackers to inject arbitrary web script or HTML via the body of an email.
20-06-2014 - 10:12 19-06-2014 - 10:55
CVE-2012-2592 4.3
Cross-site scripting (XSS) vulnerability in Axigen Mail Server 8.0.1 allows remote attackers to inject arbitrary web script or HTML via the body of an email.
19-06-2014 - 14:15 18-06-2014 - 15:55
CVE-2014-3962 7.5
Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow remote attackers to execute arbitrary SQL commands via the url parameter to (1) videocat.php or (2) single.php.
18-06-2014 - 00:33 04-06-2014 - 10:55
CVE-2014-3840 3.5
Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging
18-06-2014 - 00:32 27-05-2014 - 09:55
CVE-2014-2575 6.5
Directory traversal vulnerability in the File Manager component in DevExpress ASPxFileManager Control for ASP.NET WebForms and MVC before 13.1.10 and 13.2.x before 13.2.9 allows remote authenticated users to read or write arbitrary files via a .. (do
18-06-2014 - 00:32 06-06-2014 - 10:55
CVE-2014-4166 4.3
Cross-site scripting (XSS) vulnerability in the song history in SHOUTcast DNAS 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the mp3 title field.
17-06-2014 - 10:58 16-06-2014 - 14:55
CVE-2014-2084 8.5
Skybox View Appliances with ISO 6.3.33-2.14, 6.3.31-2.14, 6.4.42-2.54, 6.4.45-2.56, and 6.4.46-2.57 does not properly restrict access to the Admin interface, which allows remote attackers to obtain sensitive information via a request to (1) scripts/c
13-06-2014 - 00:54 17-05-2014 - 15:55
CVE-2014-4033 4.3
Cross-site scripting (XSS) vulnerability in libraries/includes/personal/profile.php in Epignosis eFront 3.6.14.4 allows remote attackers to inject arbitrary web script or HTML via the surname parameter to student.php.
12-06-2014 - 13:46 11-06-2014 - 10:55
CVE-2013-3739 5.0
Directory traversal vulnerability in editor.php in Network Weathermap 0.97c and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the mapname parameter in a show_config action.
06-06-2014 - 12:08 05-06-2014 - 16:55
CVE-2013-2618 4.3
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
06-06-2014 - 12:07 05-06-2014 - 16:55
CVE-2014-3975 5.0
Absolute path traversal vulnerability in filemanager.php in AuraCMS 3.0 allows remote attackers to list a directory via a full pathname in the viewdir parameter.
06-06-2014 - 10:56 05-06-2014 - 13:55
CVE-2014-3974 4.3
Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the viewdir parameter.
06-06-2014 - 10:54 05-06-2014 - 13:55
CVE-2014-3961 7.5
SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an "output CSV" action to pdb-signup/.
05-06-2014 - 10:48 04-06-2014 - 10:55
CVE-2009-1621 5.0
Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the route parameter.
04-06-2014 - 23:34 12-05-2009 - 12:30
CVE-2013-1412 7.5
DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.
03-06-2014 - 08:27 02-06-2014 - 11:55
CVE-2013-2712 4.3
Cross-site scripting (XSS) vulnerability in services/get_article.php in KrisonAV CMS before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter.
29-05-2014 - 19:44 23-05-2014 - 10:55
CVE-2013-2713 6.8
Cross-site request forgery (CSRF) vulnerability in users_maint.html in KrisonAV CMS before 3.0.2 allows remote attackers to hijack the authentication of administrators for requests that create user accounts via a crafted request.
29-05-2014 - 19:44 23-05-2014 - 10:55
CVE-2013-2225 6.4
inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php.
28-05-2014 - 13:07 27-05-2014 - 10:55
CVE-2014-3849 4.3
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to delete arbitrary users via a request containing a user name in the Email parameter and the API key in the i4w_clearuser pa
27-05-2014 - 10:36 23-05-2014 - 10:55
CVE-2014-3848 5.0
The iMember360 plugin before 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to obtain database credentials via the i4w_dbinfo parameter.
27-05-2014 - 10:34 23-05-2014 - 10:55
CVE-2014-3806 5.0
Directory traversal vulnerability in cgi-bin/help/doIt.cgi in VMTurbo Operations Manager before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the xml_path parameter.
22-05-2014 - 10:54 21-05-2014 - 10:55
CVE-2014-3792 6.8
Cross-site request forgery (CSRF) vulnerability in Beetel 450TC2 Router with firmware TX6-0Q-005_retail allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the uiViewTools_Pas
21-05-2014 - 19:37 20-05-2014 - 10:55
CVE-2014-3138 6.5
SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb
20-05-2014 - 00:14 01-05-2014 - 20:55
CVE-2014-3225 4.0
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.
16-05-2014 - 00:26 13-05-2014 - 20:55
CVE-2014-2976 5.0
Directory traversal vulnerability in Sixnet SixView Manager 2.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request to TCP port 18081.
16-05-2014 - 00:26 23-04-2014 - 11:55
CVE-2008-5587 4.3
Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
15-05-2014 - 23:22 16-12-2008 - 14:07
CVE-2014-3246 6.5
SQL injection vulnerability in Collabtive 1.2 allows remote authenticated users to execute arbitrary SQL commands via the folder parameter in a fileview_list action to manageajax.php.
14-05-2014 - 11:40 13-05-2014 - 10:55
CVE-2014-0621 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to hijack the authentication of administrators for requests that (1) perform a factory reset via a request to goform
05-05-2014 - 11:23 08-01-2014 - 10:30
CVE-2014-0794 4.3
SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action to index.php.
05-05-2014 - 01:32 26-01-2014 - 15:55
CVE-2013-6164 7.5
SQL injection vulnerability in view/objectDetail.php in Project'Or RIA 3.4.0 allows remote attackers to execute arbitrary SQL commands via the objectId parameter.
05-05-2014 - 01:29 14-11-2013 - 15:55
CVE-2014-2996 7.1
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. N
28-04-2014 - 08:03 25-04-2014 - 16:55
CVE-2013-7204 6.8
Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Conceptronic CIPCAMPTIWL Camera 1.0 with firmware 21.37.2.49 allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users.
22-04-2014 - 13:09 17-01-2014 - 10:18
CVE-2014-2341 6.8
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
22-04-2014 - 13:04 22-04-2014 - 09:06
CVE-2014-2340 6.8
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create website backups via a request to wp-admin/plugins.php.
19-04-2014 - 00:48 03-04-2014 - 12:15
CVE-2014-2847 7.5
SQL injection vulnerability in default.asp in CIS Manager CMS allows remote attackers to execute arbitrary SQL commands via the TroncoID parameter.
14-04-2014 - 11:15 11-04-2014 - 11:55
CVE-2014-2540 7.5
SQL injection vulnerability in OrbitScripts Orbit Open Ad Server before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the site_directory_sort_field parameter to guest/site_directory.
14-04-2014 - 10:27 11-04-2014 - 10:55
CVE-2011-5278 7.5
SQL injection vulnerability in signature.php in Advanced Forum Signatures plugin (aka afsignatures) 2.0.4 for MyBB allows remote attackers to execute arbitrary SQL commands via the afs_bar_right parameter.
08-04-2014 - 11:46 08-04-2014 - 10:22
CVE-2011-5277 7.5
Multiple SQL injection vulnerabilities in signature.php in the Advanced Forum Signatures (aka afsignatures) plugin 2.0.4 for MyBB allow remote attackers to execute arbitrary SQL commands via the (1) afs_type, (2) afs_background, (3) afs_showonline, (
08-04-2014 - 11:46 08-04-2014 - 10:22
CVE-2014-2588 4.0
Directory traversal vulnerability in servlet/downloadReport in McAfee Asset Manager 6.6 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the reportFileName parameter.
01-04-2014 - 02:29 24-03-2014 - 12:38
CVE-2014-2587 6.5
SQL injection vulnerability in jsp/reports/ReportsAudit.jsp in McAfee Asset Manager 6.6 allows remote authenticated users to execute arbitrary SQL commands via the username of an audit report (aka user parameter).
01-04-2014 - 02:29 24-03-2014 - 12:38
CVE-2013-6720 5.5
Directory traversal vulnerability in download.php in the Passive Capture Application (PCA) web console in IBM Tealeaf CX 7.x, 8.x through 8.6, 8.7 before FP2, and 8.8 before FP2 allows remote authenticated users to bypass intended access restrictions
01-04-2014 - 02:26 06-03-2014 - 06:55
CVE-2013-6719 6.0
delivery.php in the Passive Capture Application (PCA) web console in IBM Tealeaf CX 7.x, 8.x through 8.6, 8.7 before FP2, and 8.8 before FP2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the testconn_host
01-04-2014 - 02:26 06-03-2014 - 06:55
CVE-2014-1982 10.0
The administrative interface in Allied Telesis AT-RG634A ADSL Broadband router 3.3+, iMG624A firmware 3.5, iMG616LH firmware 2.4, and iMG646BD firmware 3.5 allows remote attackers to gain privileges and execute arbitrary commands via a direct request
31-03-2014 - 13:57 31-03-2014 - 10:58
CVE-2013-1605 7.5
Buffer overflow in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to execute arbitrary code via a long filename in a GET request.
26-03-2014 - 09:59 25-03-2014 - 14:21
CVE-2013-1604 5.0
Directory traversal vulnerability in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.
26-03-2014 - 09:53 25-03-2014 - 14:21
CVE-2014-2586 4.3
Cross-site scripting (XSS) vulnerability in the login audit form in McAfee Cloud Single Sign On (SSO) allows remote attackers to inject arbitrary web script or HTML via a crafted password.
24-03-2014 - 18:15 24-03-2014 - 12:38
CVE-2013-2619 5.0
Directory traversal vulnerability in Aspen before 0.22 allows remote attackers to read arbitrary files via a .. (dot dot) to the default URI.
19-03-2014 - 09:31 18-03-2014 - 13:02
CVE-2013-5117 7.5
SQL injection vulnerability in the RSS page (DNNArticleRSS.aspx) in the ZLDNN DNNArticle module before 10.1 for DotNetNuke allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
13-03-2014 - 12:06 12-03-2014 - 10:55
CVE-2013-5639 7.5
Directory traversal vulnerability in users/login.php in Gnew 2013.1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the gnew_language cookie.
12-03-2014 - 14:03 11-03-2014 - 15:37
CVE-2013-2754 6.8
Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.
11-03-2014 - 20:47 11-03-2014 - 15:37
CVE-2014-1944 4.3
Cross-site scripting (XSS) vulnerability in Ilch CMS 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the text parameter to index.php/guestbook/index/newentry.
10-03-2014 - 12:14 09-03-2014 - 09:16
CVE-2013-6233 4.3
Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata."
10-03-2014 - 10:57 09-03-2014 - 09:16
CVE-2013-6232 3.5
Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via a document note in the execution page.
10-03-2014 - 10:56 09-03-2014 - 09:16
CVE-2014-1854 7.5
SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.
07-03-2014 - 15:42 27-02-2014 - 10:55
CVE-2013-3242 5.5
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and caus
07-03-2014 - 08:46 03-05-2013 - 07:57
CVE-2013-6936 7.5
Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.
25-02-2014 - 13:19 04-12-2013 - 13:56
CVE-2013-6881 10.0
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
25-02-2014 - 13:11 07-01-2014 - 12:04
CVE-2013-7137 7.5
The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.
24-02-2014 - 21:07 25-01-2014 - 20:55
CVE-2013-6884 10.0
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges.
24-02-2014 - 20:44 07-01-2014 - 12:04
CVE-2012-6493 6.8
Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete scan data and sites via a request to data/site/delete
24-02-2014 - 17:17 04-02-2014 - 17:55
CVE-2013-1466 4.3
Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6)
24-02-2014 - 17:05 05-02-2014 - 10:10
CVE-2013-4898 6.5
Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it vi
21-02-2014 - 14:06 29-01-2014 - 13:55
CVE-2014-1459 6.5
SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the _position_down_id parameter. NOTE: this can be leveraged using CSRF to allow remot
21-02-2014 - 00:06 11-02-2014 - 12:55
CVE-2014-1401 6.5
Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search parameter to mod/content/content.php or (2) CLIENT_IP, (3) X_FORWARDED_FOR, (4) X_FORWARDED, (5) F
21-02-2014 - 00:06 11-02-2014 - 12:55
CVE-2014-1206 7.5
SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.
21-02-2014 - 00:06 15-01-2014 - 11:08
CVE-2013-7319 4.3
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.
21-02-2014 - 00:06 06-02-2014 - 11:10
CVE-2012-0394 6.8
** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a sec
20-02-2014 - 23:48 08-01-2012 - 10:55
CVE-2013-1852 7.5
SQL injection vulnerability in leaguemanager.php in the LeagueManager plugin before 3.8.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the league_id parameter in the leaguemanager-export page to wp-admin/admin.php.
05-02-2014 - 13:13 05-02-2014 - 10:10
CVE-2013-7091 5.0
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be
27-01-2014 - 23:57 13-12-2013 - 13:07
CVE-2013-4884 4.3
Cross-site scripting (XSS) vulnerability in McAfee SuperScan 4.0 allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded sequences in a server response, which is not properly handled in the SuperScan HTML report.
22-01-2014 - 14:53 21-01-2014 - 13:55
CVE-2013-6922 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a cr
22-01-2014 - 14:49 21-01-2014 - 11:06
CVE-2013-2594 7.5
SQL injection vulnerability in reports/calldiary.php in Hornbill Supportworks ITSM 1.0.0 through 3.4.14 allows remote attackers to execute arbitrary SQL commands via the callref parameter.
22-01-2014 - 14:15 21-01-2014 - 11:06
CVE-2012-6626 7.5
SQL injection vulnerability in verify-user.php in b2ePMS 1.0 allows remote attackers to execute arbitrary SQL commands via the username field.
17-01-2014 - 13:28 16-01-2014 - 16:55
CVE-2013-6883 6.8
Cross-site request forgery (CSRF) vulnerability in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to hijack the authentication of administrators for requests that modify the disk erase technique settings via u
13-01-2014 - 23:29 17-12-2013 - 11:08
CVE-2013-6882 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenti
13-01-2014 - 23:29 17-12-2013 - 11:08
CVE-2013-6923 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname parameter to admin/access_control_user_edit.ph
10-01-2014 - 10:51 09-01-2014 - 13:55
CVE-2013-6987 7.5
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter t
02-01-2014 - 11:10 31-12-2013 - 11:04
CVE-2013-6341 7.5
SQL injection vulnerability in Dokeos 2.2 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the language parameter to index.php.
27-12-2013 - 13:57 05-12-2013 - 13:55
CVE-2013-6787 6.0
SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo LMS 1.9.6 and earlier, when using the non-encrypted passwords mode set at installation, allows remote authenticated users to execute arbitrary SQL com
27-12-2013 - 12:40 05-12-2013 - 13:55
CVE-2013-7194 3.5
Multiple cross-site scripting (XSS) vulnerabilities in www/administrator.php in eFront 3.6.14 (build 18012) allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Last name, (2) Lesson name, or (3) Course name fi
23-12-2013 - 12:04 20-12-2013 - 19:55
CVE-2013-7187 7.5
SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
23-12-2013 - 09:59 20-12-2013 - 18:55
CVE-2013-7025 3.5
Multiple cross-site scripting (XSS) vulnerabilities in ematStaticAlertTypes.jsp in the Alert Settings section in Dell SonicWALL Global Management System (GMS), Analyzer, and UMA EM5000 7.1 SP1 before Hotfix 134235 allow remote authenticated users to
13-12-2013 - 00:22 09-12-2013 - 11:36
CVE-2012-6081 6.0
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary cod
13-12-2013 - 00:08 02-01-2013 - 20:55
CVE-2009-4140 7.5
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_global
12-12-2013 - 23:32 22-12-2009 - 17:30
CVE-2013-6618 9.0
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3, and 12.3 before 12.3R1 allows remote authenticated users to execute arbitrary commands via the rsargs parameter in an exec action
08-12-2013 - 01:07 05-11-2013 - 15:55
CVE-2013-6852 6.8
Cross-site request forgery (CSRF) vulnerability in html/json.html on HP 2620 switches allows remote attackers to hijack the authentication of administrators for requests that change an administrative password via the setPassword method.
22-11-2013 - 14:03 21-11-2013 - 20:55
CVE-2013-6793 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allow remote attackers to inject arbitrary web script or HTML via the (1) event name or (2) date field.
21-11-2013 - 12:57 14-11-2013 - 15:55
CVE-2013-5977 6.8
Cross-site request forgery (CSRF) vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that (1) create or modify products or con
20-11-2013 - 12:48 01-11-2013 - 11:55
CVE-2011-5267 4.3
Multiple cross-site scripting (XSS) vulnerabilities in spell-check-savedicts.php in the SpellChecker module in Xinha, as used in WikiWig 5.01 and possibly other products, allow remote attackers to inject arbitrary web script or HTML via the (1) to_p_
07-11-2013 - 14:43 05-11-2013 - 13:55
CVE-2013-3336 5.0
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.
06-11-2013 - 23:39 09-05-2013 - 08:31
CVE-2013-5694 7.5
SQL injection vulnerability in status/service/acknowledge in Opsview before 4.4.1 allows remote attackers to execute arbitrary SQL commands via the service_selection parameter.
06-11-2013 - 20:03 05-11-2013 - 15:55
CVE-2013-3535 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 and 1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_email, (2) header_title, (3) site_title parameter to admin/settings; (4) recaptcha_private
02-11-2013 - 23:33 13-05-2013 - 19:55
CVE-2011-4106 6.8
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it v
28-10-2013 - 11:15 26-10-2013 - 12:55
CVE-2013-5961 6.8
Unrestricted file upload vulnerability in lazyseo.php in the Lazy SEO plugin 1.1.9 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in lazy-seo/.
11-10-2013 - 11:08 30-09-2013 - 18:55
CVE-2013-5693 4.3
Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.
11-10-2013 - 09:33 30-09-2013 - 18:55
CVE-2013-5962 5.1
Unrestricted file upload vulnerability in frames/upload-images.php in the Complete Gallery Manager plugin before 3.3.4 rev40279 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then acc
10-10-2013 - 13:40 30-09-2013 - 18:55
CVE-2013-0126 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administ
07-10-2013 - 16:31 21-03-2013 - 16:55
CVE-2013-5091 6.5
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a
07-10-2013 - 14:58 04-10-2013 - 16:55
CVE-2013-5317 3.5
Cross-site scripting (XSS) vulnerability in RiteCMS 1.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the mode parameter to cms/index.php.
07-10-2013 - 14:36 20-08-2013 - 10:55
CVE-2013-5316 6.8
Cross-site request forgery (CSRF) vulnerability in RiteCMS 1.0.0 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via an edit user action to cms/index.php.
07-10-2013 - 14:34 20-08-2013 - 10:55
CVE-2011-5130 6.8
dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the argv[1] parameter.
07-10-2013 - 14:12 30-08-2012 - 18:55
CVE-2013-1468 7.6
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
03-10-2013 - 14:49 13-03-2013 - 23:13
CVE-2012-1059 4.3
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, as demonstrated
03-10-2013 - 14:26 13-02-2012 - 19:55
CVE-2013-5692 8.5
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
01-10-2013 - 16:01 30-09-2013 - 18:55
CVE-2013-5318 7.5
SQL injection vulnerability in Ginkgo CMS 5.0 allows remote attackers to execute arbitrary SQL commands via the rang parameter to index.php.
27-09-2013 - 23:40 20-08-2013 - 10:55
CVE-2013-4900 5.0
Directory traversal vulnerability in DeWeS web server 0.4.2 and possibly earlier, as used in Twilight CMS, allows remote attackers to read arbitrary files via a ..%5c (dot dot encoded backslash) in a GET request.
13-09-2013 - 14:56 09-09-2013 - 13:55
CVE-2010-1491 5.0
Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
13-09-2013 - 02:31 23-04-2010 - 10:30
CVE-2011-5147 5.0
Static code injection vulnerability in ajax_save_name.php in the Ajax File Manager module in the tinymce plugin in FreeWebshop 2.2.9 R2 and earlier allows remote attackers to inject arbitrary PHP code into data.php via the selected document, as demon
12-09-2013 - 02:24 31-08-2012 - 17:55
CVE-2010-1049 7.5
Multiple SQL injection vulnerabilities in Uiga Business Portal allow remote attackers to execute arbitrary SQL commands via the (1) noentryid parameter to blog/index.php and the (2) p parameter to index2.php.
12-09-2013 - 02:08 22-03-2010 - 21:00
CVE-2013-5672 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save
11-09-2013 - 20:09 10-09-2013 - 15:55
CVE-2013-5673 7.5
SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testimonial_add action to wp-admin/admin-ajax.php.
11-09-2013 - 10:50 10-09-2013 - 15:55
CVE-2011-5168 7.5
SQL injection vulnerability in user.php in Banana Dance before B.1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
11-09-2013 - 02:22 15-09-2012 - 13:55
CVE-2011-4715 5.0
Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin
10-09-2013 - 13:10 08-12-2011 - 14:55
CVE-2009-2334 4.9
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensit
10-09-2013 - 02:00 10-07-2009 - 17:00
CVE-2010-4993 7.5
SQL injection vulnerability in the eventcal (com_eventcal) component 1.6.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
09-09-2013 - 02:06 01-11-2011 - 18:55
CVE-2010-1354 5.0
Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from
09-09-2013 - 01:58 12-04-2010 - 14:30
CVE-2007-3430 7.5
SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 allows remote attackers to execute arbitrary SQL commands via the submit parameter in an email action.
09-09-2013 - 01:21 26-06-2007 - 20:30
CVE-2012-5231 7.5
miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variable containing an executable extension, which is not properly handled by (a) update.php when writing files to content/, or (b) updat
08-09-2013 - 02:18 01-10-2012 - 16:55
CVE-2010-0985 7.5
Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of the
08-09-2013 - 01:55 16-03-2010 - 15:30
CVE-2008-6649 7.5
SQL injection vulnerability in manager/image_details_editor.php in Ktools PhotoStore 2.5, 2.9.8, 3.1.0, and other versions through 3.5.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
08-09-2013 - 01:43 07-04-2009 - 10:17
CVE-2010-0976 7.5
Acidcat CMS 3.5.x does not prevent access to install.asp after installation finishes, which might allow remote attackers to restart the installation process and have unspecified other impact via requests to install.asp and other install_*.asp scripts
07-09-2013 - 02:02 16-03-2010 - 15:30
CVE-2010-5012 7.5
SQL injection vulnerability in new.php in DaLogin 2.2 and 2.2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.
05-09-2013 - 11:48 02-11-2011 - 17:55
CVE-2012-1901 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in FlexCMS 3.2.1 and earlier allow remote attackers to (1) hijack the authentication of users for requests that change account settings via a request to index.php/profile-edit-save or (2) hij
05-09-2013 - 02:23 18-09-2012 - 14:55
CVE-2010-4849 7.5
SQL injection vulnerability in countrydetails.php in Alibaba Clone B2B 3.4 allows remote attackers to execute arbitrary SQL commands via the es_id parameter.
04-09-2013 - 02:11 27-09-2011 - 06:55
CVE-2007-6088 9.3
PHP remote file inclusion vulnerability in includes/functions_mod_user.php in phpBBViet 02.03.07 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
04-09-2013 - 01:32 21-11-2007 - 19:46
CVE-2010-3490 6.5
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the use
03-09-2013 - 02:15 28-09-2010 - 14:00
CVE-2010-4330 6.8
Directory traversal vulnerability in includes/controller.php in Pulse CMS Basic before 1.2.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter to index.php.
31-08-2013 - 02:17 07-12-2010 - 08:53
CVE-2010-4333 7.5
Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.
30-08-2013 - 02:16 21-12-2010 - 22:00
CVE-2010-4940 7.5
SQL injection vulnerability in index.php in WAnewsletter 2.1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
29-08-2013 - 02:26 09-10-2011 - 06:55
CVE-2010-5020 7.5
SQL injection vulnerability in index.php in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
28-08-2013 - 02:31 02-11-2011 - 17:55
CVE-2010-1713 7.5
SQL injection vulnerability in modules.php in PostNuke 0.764 allows remote attackers to execute arbitrary SQL commands via the sid parameter in a News article modload action.
28-08-2013 - 02:20 04-05-2010 - 12:00
CVE-2009-4713 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Qas (aka Quas) module for XOOPS Celepar allow remote attackers to inject arbitrary web script or HTML via (1) the cod_categoria parameter to categoria.php, (2) the opcao parameter to index.ph
28-08-2013 - 02:15 15-03-2010 - 17:30
CVE-2009-4456 7.5
SQL injection vulnerability in news_detail.php in Green Desktiny 2.3.1, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the id parameter.
28-08-2013 - 02:14 29-12-2009 - 19:30
CVE-2012-6584 7.5
Multiple SQL injection vulnerabilities in MYRE Realty Manager allow remote attackers to execute arbitrary SQL commands via the bathrooms1 parameter to (1) demo2/search.php or (2) search.php.
27-08-2013 - 10:13 24-08-2013 - 23:27
CVE-2012-6586 7.5
Multiple SQL injection vulnerabilities in MYRE Vacation Rental Software allow remote attackers to execute arbitrary SQL commands via the (1) garage1 or (2) bathrooms1 parameter to vacation/1_mobile/search.php, or (3) unspecified input to vacation/wid
27-08-2013 - 10:01 24-08-2013 - 23:27
CVE-2012-6587 4.3
Cross-site scripting (XSS) vulnerability in vacation/1_mobile/alert_members.php in MYRE Vacation Rental Software allows remote attackers to inject arbitrary web script or HTML via the link_idd parameter in a login action.
27-08-2013 - 09:46 24-08-2013 - 23:27
CVE-2012-6588 7.5
SQL injection vulnerability in links.php in MYRE Business Directory allows remote attackers to execute arbitrary SQL commands via the cat parameter.
27-08-2013 - 09:27 24-08-2013 - 23:27
CVE-2012-2923 7.5
SQL injection vulnerability in news.php4 in Hypermethod eLearning Server 4G allows remote attackers to execute arbitrary SQL commands via the nid parameter.
27-08-2013 - 03:10 21-05-2012 - 18:55
CVE-2008-6749 6.8
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checkuser and (2) checkpass parameters.
27-08-2013 - 02:14 24-04-2009 - 10:30
CVE-2012-6589 4.3
Cross-site scripting (XSS) vulnerability in search.php in MYRE Business Directory allows remote attackers to inject arbitrary web script or HTML via the look parameter.
26-08-2013 - 13:32 24-08-2013 - 23:27
CVE-2012-6585 4.3
Cross-site scripting (XSS) vulnerability in search.php in MYRE Realty Manager allows remote attackers to inject arbitrary web script or HTML via the cat_id1 parameter.
26-08-2013 - 11:20 24-08-2013 - 23:27
CVE-2007-6655 7.5
PHP remote file inclusion vulnerability in includes/function.php in Kontakt Formular 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter.
26-08-2013 - 01:35 04-01-2008 - 06:46
CVE-2010-0759 7.5
Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via d
24-08-2013 - 02:12 26-02-2010 - 19:30
CVE-2007-4603 7.5
Multiple SQL injection vulnerabilities in index.php in ACG News 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the aid parameter in a showarticle action or (2) the catid parameter in a showcat action.
24-08-2013 - 01:35 30-08-2007 - 20:17
CVE-2009-4817 6.8
Unrestricted file upload vulnerability in Element-IT Ultimate Uploader 1.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/.
22-08-2013 - 02:17 27-04-2010 - 11:30
CVE-2010-0288 7.5
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the
21-08-2013 - 23:27 15-02-2010 - 13:30
CVE-2010-0287 5.0
Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter.
21-08-2013 - 23:27 15-02-2010 - 13:30
CVE-2013-5321 7.5
Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.1 allow remote attackers to execute arbitrary SQL commands via the (1) sensor parameter in a Query action to forensics/base_qry_main.php; the (
21-08-2013 - 10:08 20-08-2013 - 10:56
CVE-2010-0696 5.0
Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
21-08-2013 - 02:18 23-02-2010 - 13:30
CVE-2013-5312 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Vastal I-Tech phpVID 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to browse_videos.php or the (2) cat parameter to groups.php.
20-08-2013 - 09:17 19-08-2013 - 17:10
CVE-2013-5311 7.5
Multiple SQL injection vulnerabilities in Vastal I-Tech phpVID 1.2.3 allow remote attackers to execute arbitrary SQL commands via the "n" parameter to (1) browse_videos.php or (2) members.php. NOTE: the cat parameter is already covered by CVE-2008-4
20-08-2013 - 09:15 19-08-2013 - 17:10
CVE-2012-5388 3.5
Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action t
19-08-2013 - 23:18 24-10-2012 - 13:55
CVE-2012-5387 6.8
Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wl
19-08-2013 - 23:18 24-10-2012 - 13:55
CVE-2010-1341 7.5
SQL injection vulnerability in index.php in Systemsoftware Community Black Forum allows remote attackers to execute arbitrary SQL commands via the s_flaeche parameter.
19-08-2013 - 12:27 09-04-2010 - 14:30
CVE-2011-4801 7.5
SQL injection vulnerability in akeyActivationLogin.do in Authenex Web Management Control in Authenex Strong Authentication System (ASAS) Server 3.1.0.2 and 3.1.0.3 allows remote attackers to execute arbitrary SQL commands via the username parameter.
18-08-2013 - 02:24 13-12-2011 - 19:55
CVE-2010-3313 7.5
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows
18-08-2013 - 02:14 22-09-2010 - 15:00
CVE-2010-0756 5.8
Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote attackers to hijack web sessions by setting the jsessionid parameter to (1) index.php/Comment/Main, (2) index.php/Comment/Main/Home_Wiky, or (3) index.php/Edit/Main.
18-08-2013 - 02:09 26-02-2010 - 19:30
CVE-2007-1815 7.5
SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.
18-08-2013 - 01:25 02-04-2007 - 19:19
CVE-2012-5315 4.3
Multiple cross-site scripting (XSS) vulnerabilities in php ireport 1.0 allow remote attackers to inject arbitrary web script or HTML via the message parameter to (1) messages_viewer.php, (2) home.php, or (3) history.php.
17-08-2013 - 02:50 08-10-2012 - 13:55
CVE-2006-7247 7.5
SQL injection vulnerability in the Weblinks (com_weblinks) component for Joomla! and Mambo 1.0.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
16-08-2013 - 01:46 06-09-2012 - 15:55
CVE-2013-5099 2.6
Cross-site scripting (XSS) vulnerability in article.php in Anchor CMS 0.9.1, when comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Name field. NOTE: some sources have reported that comments.php is vulnerab
14-08-2013 - 14:05 09-08-2013 - 17:55
CVE-2013-5121 7.5
SQL injection vulnerability in PHPFox before 3.6.0 (build6) allows remote attackers to execute arbitrary SQL commands via the search[sort_by] parameter to user/browse/view_/.
14-08-2013 - 13:52 14-08-2013 - 11:55
CVE-2013-5120 7.5
SQL injection vulnerability in PHPFox before 3.6.0 (build4) allows remote attackers to execute arbitrary SQL commands via the search[gender] parameter to user/browse/view_/.
14-08-2013 - 13:31 14-08-2013 - 11:55
CVE-2010-1058 6.8
Directory traversal vulnerability in codelib/cfg/common.inc.php in Phpkobo Address Book Script 1.09, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the LANG_CODE parameter
14-08-2013 - 02:11 23-03-2010 - 13:30
CVE-2007-6459 6.8
Anon Proxy Server 0.100, and probably 0.101, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the host parameter to diagdns.php, and (2) the host parameter and possibly (3) the port parameter to diagconnect.php, a
14-08-2013 - 01:37 19-12-2007 - 19:46
CVE-2011-0503 6.8
Cross-site request forgery (CSRF) vulnerability in VaM Shop 1.6, 1.6.1, and probably earlier versions allows remote attackers to hijack the authentication of administrators for requests that (1) change user status via admin/customers.php or (2) chang
13-08-2013 - 12:59 20-01-2011 - 14:00
CVE-2010-5284 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Collabtive 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) User parameter in the edit user profile feature to manageuser.php, (2) y parameter in a newcal action to
13-08-2013 - 12:58 26-11-2012 - 18:55
CVE-2009-4574 7.5
SQL injection vulnerability in country_escorts.php in I-Escorts Directory Script allows remote attackers to execute arbitrary SQL commands via the country_id parameter.
13-08-2013 - 12:46 06-01-2010 - 17:00
CVE-2009-2180 5.0
Multiple directory traversal vulnerabilities in upfiles/index.php in Pc4 Uploader 10.0 and earlier allow remote attackers to read arbitrary files via (1) a .. (dot dot) or (2) absolute path in the file parameter.
07-08-2013 - 02:11 23-06-2009 - 17:30
CVE-2007-4809 7.5
Multiple PHP remote file inclusion vulnerabilities in Online Fantasy Football League (OFFL) 0.2.6 allow remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter to (1) lib/functions.php or (2) lib/header.php.
07-08-2013 - 01:39 11-09-2007 - 14:17
CVE-2013-2690 7.5
SQL injection vulnerability in index.php in Synchroweb Technology SynConnect 2.0 allows remote attackers to execute arbitrary SQL commands via the loginid parameter in a logoff action.
06-08-2013 - 17:47 28-03-2013 - 19:55
CVE-2011-0903 6.8
Multiple directory traversal vulnerabilities in AR Web Content Manager (AWCM) 2.2 allow remote attackers to read arbitrary files and possibly have other unspecified impact via a .. (dot dot) in the (1) awcm_theme or (2) awcm_lang cookie to (a) index.
06-08-2013 - 17:27 07-02-2011 - 16:00
CVE-2009-3314 7.5
SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 allows remote attackers to execute arbitrary SQL commands via the platform parameter.
06-08-2013 - 17:10 23-09-2009 - 08:08
CVE-2007-3812 7.5
SQL injection vulnerability in forums.php in CMScout 1.23 and earlier allows remote attackers to execute arbitrary SQL commands via the f parameter in a forums action to index.php.
03-08-2013 - 02:23 16-07-2007 - 20:30
CVE-2010-1350 7.5
SQL injection vulnerability in the JP Jobs (com_jp_jobs) component 1.4.1 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
02-08-2013 - 02:32 12-04-2010 - 14:30
CVE-2010-3404 7.5
Multiple SQL injection vulnerabilities in eshtery CMS (aka eshtery.com) allow remote attackers to execute arbitrary SQL commands via the (1) Criteria field in an unspecified form related to catlgsearch.aspx or (2) user name to an unspecified form rel
01-08-2013 - 02:21 16-09-2010 - 16:00
CVE-2011-4813 5.0
Directory traversal vulnerability in clientarea.php in WHMCompleteSolution (WHMCS) 3.x.x allows remote attackers to read arbitrary files via an invalid action and a ../ (dot dot slash) in the templatefile parameter.
31-07-2013 - 02:24 13-12-2011 - 19:55
CVE-2012-4399 5.0
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
30-07-2013 - 02:28 09-10-2012 - 19:55
CVE-2010-1336 7.5
Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) newlanguage parameters to site.php, (3) search parameter to manuals.php, and (4) unspecified vectors to faq.php. N
30-07-2013 - 02:05 09-04-2010 - 14:30
CVE-2013-3515 4.3
Multiple cross-site scripting (XSS) vulnerabilities in OpenX Source 2.8.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) package parameter to www/admin/plugin-index.php or the (2) group parameter to www/admin/p
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4945 7.5
Multiple SQL injection vulnerabilities in BMC Service Desk Express (SDE) 10.2.1.95 allow remote attackers to execute arbitrary SQL commands via the (1) ASPSESSIONIDASSRATTQ, (2) TABLE_WIDGET_1, (3) TABLE_WIDGET_2, (4) browserDateTimeInfo, or (5) brow
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4946 4.3
Multiple cross-site scripting (XSS) vulnerabilities in BMC Service Desk Express (SDE) 10.2.1.95 allow remote attackers to inject arbitrary web script or HTML via the (1) SelTab parameter to QV_admin.aspx, the (2) CallBack parameter to QV_grid.aspx, o
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4948 7.5
SQL injection vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary SQL commands via the element_2 parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4949 6.8
Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4950 4.3
Cross-site scripting (XSS) vulnerability in view.php in Machform 2 allows remote attackers to inject arbitrary web script or HTML via the element_2 parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4952 7.5
SQL injection vulnerability in functions/global.php in Elemata CMS RC 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2013-4953 7.5
SQL injection vulnerability in play.php in Top Games Script 1.2 allows remote attackers to execute arbitrary SQL commands via the gid parameter.
30-07-2013 - 00:00 29-07-2013 - 19:27
CVE-2010-3456 5.0
Directory traversal vulnerability in download.php in EnergyScripts (ES) Simple Download 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
29-07-2013 - 12:31 17-09-2010 - 16:00
CVE-2010-2697 3.5
Cross-site scripting (XSS) vulnerability in Sijio Community Software allows remote authenticated users to inject arbitrary web script or HTML via the title parameter when adding a new blog, related to edit_blog/index.php. NOTE: some of these details
29-07-2013 - 12:29 12-07-2010 - 13:30
CVE-2010-4275 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Radius Manager 3.8.0 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) name or (2) descr parameter in an (a) update_usergroup or a (b) store_nas action
27-07-2013 - 02:18 21-12-2010 - 22:00
CVE-2007-6396 7.5
Direct static code injection vulnerability in index.php in Flat PHP Board 1.2 and earlier allows remote attackers to inject arbitrary PHP code via the (1) username, (2) password, and (3) email parameters when registering a user account, which can be
27-07-2013 - 01:38 17-12-2007 - 13:46
CVE-2010-3205 7.5
PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.
26-07-2013 - 02:27 03-09-2010 - 14:00
CVE-2010-4862 7.5
SQL injection vulnerability in the JExtensions JE Directory (com_jedirectory) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in an item action to index.php.
25-07-2013 - 12:28 05-10-2011 - 06:55
CVE-2012-1308 6.8
Cross-site request forgery (CSRF) vulnerability in redpass.cgi in D-Link DSL-2640B Firmware EU_4.00 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword paramet
23-07-2013 - 05:33 08-10-2012 - 14:55
CVE-2010-1217 4.3
Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NO
23-07-2013 - 04:57 30-03-2010 - 19:30
CVE-2010-4795 7.5
SQL injection vulnerability in the JS Calendar (com_jscalendar) component 1.5.1 and 1.5.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the ev_id parameter in a details action to index.php. NOTE: some of these details are
21-07-2013 - 03:03 26-04-2011 - 20:55
CVE-2007-6368 5.0
Directory traversal vulnerability in index.php in ezContents 1.4.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the link parameter.
21-07-2013 - 02:27 14-12-2007 - 20:46
CVE-2010-1534 5.0
Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
18-07-2013 - 11:10 26-04-2010 - 14:30
CVE-2010-0722 7.5
SQL injection vulnerability in news.php in Php Auktion Pro allows remote attackers to execute arbitrary SQL commands via the id parameter.
18-07-2013 - 11:08 26-02-2010 - 15:30
CVE-2010-4280 7.5
Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter i
17-07-2013 - 02:21 02-12-2010 - 12:15
CVE-2010-0467 5.0
Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
17-07-2013 - 02:13 02-02-2010 - 12:30
CVE-2012-1024 5.0
Directory traversal vulnerability in file in Enigma2 Webinterface 1.5rc1 and 1.5beta4 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
15-07-2013 - 02:21 07-02-2012 - 19:55
CVE-2012-4265 7.5
SQL injection vulnerability in category_edit.php in Proman Xpress 5.0.1 allows remote attackers to execute arbitrary SQL commands via the cid parameter.
14-07-2013 - 02:25 13-08-2012 - 18:55
CVE-2008-4885 7.5
SQL injection vulnerability in tr1.php in YourFreeWorld Scrolling Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
11-07-2013 - 01:45 03-11-2008 - 19:57
CVE-2010-0642 5.0
Cisco Collaboration Server (CCS) 5 allows remote attackers to read the source code of JHTML files via URL encoded characters in the filename extension, as demonstrated by (1) changing .jhtml to %2Ejhtml, (2) changing .jhtml to .jhtm%6C, (3) appending
10-07-2013 - 15:49 17-02-2010 - 13:30
CVE-2013-1414 5.1
Multiple cross-site request forgery (CSRF) vulnerabilities in Fortinet FortiOS on FortiGate firewall devices before 4.3.13 and 5.x before 5.0.2 allow remote attackers to hijack the authentication of administrators for requests that modify (1) setting
08-07-2013 - 00:00 08-07-2013 - 13:55
CVE-2012-1613 3.5
Cross-site scripting (XSS) vulnerability in edit_one_pic.php in Coppermine Photo Gallery before 1.5.20 allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the keywords parameter.
04-07-2013 - 03:30 04-09-2012 - 16:55
CVE-2010-5027 4.3
Cross-site scripting (XSS) vulnerability in winners.php in Science Fair In A Box (SFIAB) 2.0.6 and 2.2.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter. NOTE: some of these details are obtained from third party
04-07-2013 - 03:14 02-11-2011 - 17:55
CVE-2010-1721 7.5
SQL injection vulnerability in the Intellectual Property (aka IProperty or com_iproperty) component 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an agentproperties action to index.php.
04-07-2013 - 03:05 04-05-2010 - 12:00
CVE-2013-1814 4.0
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the passw
03-07-2013 - 13:03 13-03-2013 - 20:55
CVE-2012-6559 4.3
Multiple cross-site scripting (XSS) vulnerabilities in FreeNAC 3.02 allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) mac, (3) graphtype, (4) name, or (5) type parameter to stats.php; or (6) comment parameter to d
03-06-2013 - 00:00 23-05-2013 - 11:55
CVE-2008-6422 7.5
Multiple SQL injection vulnerabilities in PsychoStats 2.3, 2.3.1, and 2.3.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) weapon.php and (2) map.php.
31-05-2013 - 00:00 06-03-2009 - 13:30
CVE-2013-3721 7.5
SQL injection vulnerability in awards.php in PsychoStats 3.2.2b allows remote attackers to execute arbitrary SQL commands via the d parameter.
31-05-2013 - 00:00 31-05-2013 - 08:20
CVE-2012-2924 7.5
PHP remote file inclusion vulnerability in admin/setup.inc.php in Hypermethod eLearning Server 4G allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.
24-05-2013 - 23:11 21-05-2012 - 18:55
CVE-2012-2905 5.0
Artiphp CMS 5.5.0 Neo (r422) stores database backups with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request.
24-05-2013 - 23:11 21-05-2012 - 14:55
CVE-2012-6560 7.5
SQL injection vulnerability in deviceadd.php in FreeNAC 3.02 allows remote attackers to execute arbitrary SQL commands via the status parameter.
24-05-2013 - 09:32 23-05-2013 - 11:55
CVE-2012-6556 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) User/FirstName or (2) User/LastName parameter to the edit user page.
24-05-2013 - 09:24 23-05-2013 - 11:55
CVE-2012-6555 4.3
Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title.
24-05-2013 - 08:44 23-05-2013 - 11:55
CVE-2012-6557 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) AboutMe/RealName, (2) AboutMe/Name, (3) AboutMe/Quote, (4) AboutMe/Loc, (5) A
24-05-2013 - 00:00 23-05-2013 - 11:55
CVE-2013-3536 7.5
SQL injection vulnerability in the gp_LoadUserFromHash function in functions_hash.php in the Group Pay module 1.5 and earlier for WHMCS allows remote attackers to execute arbitrary SQL commands via the hash parameter.
14-05-2013 - 10:48 13-05-2013 - 19:55
CVE-2013-3522 6.5
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-3524 7.5
SQL injection vulnerability in popupnewsitem/ in the Pop Up News module 2.0 and possibly earlier for phpVMS allows remote attackers to execute arbitrary SQL commands via the itemid parameter. NOTE: this was originally reported as a problem in phpVMS
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-3527 7.5
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2013-3529 4.3
Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-messag
13-05-2013 - 00:00 10-05-2013 - 17:55
CVE-2010-2103 4.3
Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other produc
09-05-2013 - 23:17 27-05-2010 - 18:30
CVE-2013-3050 7.5
SQL injection vulnerability in ZAPms 1.41 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter to product.
15-04-2013 - 00:00 12-04-2013 - 18:55
CVE-2012-6534 4.3
Novell Sentinel Log Manager before 1.2.0.3 allows remote attackers to create data retention policies via a crafted text/x-gwt-rpc request to novelllogmanager/datastorageservice.rpc, and allows remote authenticated Report Administrators to create data
04-04-2013 - 00:00 29-03-2013 - 12:08
CVE-2013-1465 7.5
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using
26-03-2013 - 00:00 08-02-2013 - 15:55
CVE-2012-4178 7.5
SQL injection vulnerability in spywall/includes/deptUploads_data.php in Symantec Web Gateway 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via the groupid parameter.
25-03-2013 - 23:38 07-08-2012 - 18:55
CVE-2012-2584 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Alt-N MDaemon Free 12.5.4 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) the Cascading Style Sheets (CSS) expression property in conjunction wit
22-03-2013 - 23:10 12-08-2012 - 13:55
CVE-2012-3435 7.5
SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.
21-03-2013 - 23:11 15-08-2012 - 16:55
CVE-2012-3294 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Web Gateway component in IBM WebSphere MQ File Transfer Edition 7.0.4 and earlier, and WebSphere MQ - Managed File Transfer 7.5, allow remote attackers to hijack the authentication of
21-03-2013 - 23:11 17-08-2012 - 06:31
CVE-2012-2601 7.5
SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsUp Gold 15.02 allows remote attackers to execute arbitrary SQL commands via the sGroupList parameter.
21-03-2013 - 23:10 15-08-2012 - 18:55
CVE-2013-1469 4.0
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
19-03-2013 - 00:00 13-03-2013 - 16:55
CVE-2011-5212 7.5
SQL injection vulnerability in admin/index.php in Subrion CMS 2.0.4 allows remote attackers to execute arbitrary SQL commands via the (1) user name or (2) password field.
13-02-2013 - 23:47 22-10-2012 - 19:55
CVE-2011-5257 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Classipress theme before 3.1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) twitter_id parameter related to the Twitter widget and (2) facebook_id p
13-02-2013 - 00:00 12-02-2013 - 15:55
CVE-2011-5262 7.5
SQL injection vulnerability in prodpage.cfm in SonicWALL Aventail allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter.
13-02-2013 - 00:00 12-02-2013 - 15:55
CVE-2011-1524 4.3
Cross-site scripting (XSS) vulnerability in the management login GUI page in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to inject arbitrary web script or HTML via the username field, as demonstrated by injecting an IFR
06-02-2013 - 23:43 28-03-2011 - 14:55
CVE-2011-0545 6.8
Cross-site request forgery (CSRF) vulnerability in adduser.do in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts, and possi
06-02-2013 - 23:41 28-03-2011 - 12:55
CVE-2012-5864 10.0
The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authenti
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-5863 10.0
ping.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allows remote attackers to execute arbi
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-5862 10.0
login.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 establishes multiple hardcoded account
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-5861 7.5
Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allow rem
02-02-2013 - 00:10 23-11-2012 - 07:09
CVE-2012-3448 7.5
Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.
02-02-2013 - 00:05 06-08-2012 - 14:55
CVE-2012-6523 4.3
Multiple cross-site scripting (XSS) vulnerabilities in w-CMS 2.01 allow remote attackers to inject arbitrary web script or HTML via (1) the p parameter in the getMenus function in codes/wcms.php; or the COMMENT parameter in (2) blog.php, (3) guestboo
31-01-2013 - 23:53 31-01-2013 - 00:44
CVE-2010-5287 7.5
SQL injection vulnerability in default.php in Cornerstone Technologies webConductor allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 08:48 31-01-2013 - 00:43
CVE-2012-1671 6.8
Directory traversal vulnerability in index.php in phpPaleo 4.8b155 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5330 4.3
Multiple cross-site scripting (XSS) vulnerabilities in asaanCart 0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to calc.php, (2) chat.php, (3) register.php, or (4) index.php in libs/smarty_ajax/; or the (5) pa
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5331 6.8
Directory traversal vulnerability in asaanCart 0.9 allows remote attackers to include arbitrary local files via a .. (dot dot) in the page parameter to index.php.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5333 7.5
SQL injection vulnerability in page.php in Pre Printing Press allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-5334 7.5
SQL injection vulnerability in product_desc.php in Pre Printing Press allows remote attackers to execute arbitrary SQL commands via the pid parameter.
31-01-2013 - 00:00 08-10-2012 - 19:55
CVE-2012-6522 5.0
Directory traversal vulnerability in the getContent function in codes/wcms.php in w-CMS 2.01 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. NOTE: some of these details are obtained from third party information
31-01-2013 - 00:00 31-01-2013 - 00:44
CVE-2012-6524 7.5
SQL injection vulnerability in kommentar.php in pGB 2.12 allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 00:00 31-01-2013 - 00:44
CVE-2012-6525 7.5
SQL injection vulnerability in members.php in PHPBridges allows remote attackers to execute arbitrary SQL commands via the id parameter.
31-01-2013 - 00:00 31-01-2013 - 00:44
CVE-2012-5349 2.6
Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the Pay With Tweet plugin before 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) title, or (3) dl parameter.
30-01-2013 - 00:00 09-10-2012 - 11:55
CVE-2012-1125 6.8
Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin before 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a PHP extension, then accessing it via a di
29-01-2013 - 23:48 08-10-2012 - 13:55
CVE-2012-6504 7.5
SQL injection vulnerability in mods/hours/data/get_hours.php in PHP Volunteer Management 1.0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6505 4.3
Cross-site scripting (XSS) vulnerability in mods/hours/data/get_hours.php in PHP Volunteer Management 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6516 7.5
SQL injection vulnerability in PHP Ticket System Beta 1 allows remote attackers to execute arbitrary SQL commands via the q parameter to index.php.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6517 4.3
Multiple cross-site scripting (XSS) vulnerabilities in DiY-CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) question parameter to in /modules/poll/add.php or (2) question or (3) answer parameter to modules/poll/edit.p
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6518 6.8
Cross-site request forgery (CSRF) vulnerability in mod.php in DiY-CMS 1.0 allows remote attackers to hijack the authentication of administrators for requests that create a poll via an add action to the poll module.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2012-6519 7.5
SQL injection vulnerability in modules/poll/index.php in DIY-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the start parameter to mod.php.
29-01-2013 - 00:00 23-01-2013 - 20:55
CVE-2008-3498 7.5
SQL injection vulnerability in the nBill (com_netinvoice) component 1.2.0 SP1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in an orders action to index.php. NOTE: some of these details are obtained from
24-01-2013 - 00:00 06-08-2008 - 14:41
CVE-2009-1480 7.5
SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors.
23-01-2013 - 00:00 29-04-2009 - 14:30
CVE-2012-6500 5.0
Directory traversal vulnerability in download.lib.php in Pragyan CMS 3.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the fileget parameter in a profile action to index.php.
23-01-2013 - 00:00 11-01-2013 - 23:33
CVE-2012-5874 7.5
Multiple SQL injection vulnerabilities in the (1) update_whosonline_reg and (2) update_whosonline_guest functions in Elite Bulletin Board before 2.1.22 allow remote attackers to execute arbitrary SQL commands via the PATH_INFO to (a) checkuser.php, (
21-01-2013 - 00:00 11-01-2013 - 23:33
CVE-2012-5891 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in photo/pass.php in DAlbum 1.44 build 174 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an add action, (2) change use
15-01-2013 - 00:00 17-11-2012 - 16:55
CVE-2012-5899 4.3
Cross-site scripting (XSS) vulnerability in admin/action/objects.php in SAMEDIA LandShop 0.9.2 allows remote attackers to inject arbitrary web script or HTML via the OTR_HEADS[] parameter in an edit action. NOTE: some of these details are obtained fr
15-01-2013 - 00:00 17-11-2012 - 16:55
CVE-2012-5900 7.5
Multiple SQL injection vulnerabilities in SAMEDIA LandShop 0.9.2 allow remote attackers to execute arbitrary SQL commands via the (1) OB_ID parameter in a single action to admin/action/objects.php, (2) AREA_ID parameter in a single action to admin/ac
15-01-2013 - 00:00 17-11-2012 - 16:55
CVE-2012-6499 5.8
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.
14-01-2013 - 00:00 11-01-2013 - 23:33
CVE-2012-6433 6.8
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.
07-01-2013 - 00:00 03-01-2013 - 06:54
CVE-2012-6434 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) do
07-01-2013 - 00:00 03-01-2013 - 06:54
CVE-2012-1153 6.8
Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to th
03-01-2013 - 23:36 06-10-2012 - 17:55
CVE-2009-1049 7.5
SQL injection vulnerability in articleCall.php in Bloginator 1A allows remote attackers to execute arbitrary SQL commands via the id parameter.
03-01-2013 - 00:00 24-03-2009 - 10:30
CVE-2011-5186 4.3
Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.
20-12-2012 - 00:00 20-09-2012 - 06:55
CVE-2012-2209 4.3
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the langua
18-12-2012 - 23:52 14-08-2012 - 18:55
CVE-2012-2208 7.5
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
18-12-2012 - 23:52 14-08-2012 - 18:55
CVE-2011-5183 7.5
Multiple SQL injection vulnerabilities in OrderSys 1.6.4 and earlier allow remote attackers to execute arbitrary SQL commands via the where_clause parameter to (1) index.php, (2) index_long.php, or (3) index_short.php in ordering/interface_creator/.
17-12-2012 - 00:00 20-09-2012 - 06:55
CVE-2012-4991 8.5
Multiple directory traversal vulnerabilities in Axway SecureTransport 5.1 SP2 and earlier allow remote authenticated users to (1) read, (2) delete, or (3) create files, or (4) list directories, via a ..%5C (encoded dot dot backslash) in a URI.
13-12-2012 - 00:00 13-12-2012 - 06:53
CVE-2010-5285 6.8
Cross-site request forgery (CSRF) vulnerability in admin.php in Collabtive 0.6.5 allows remote attackers to hijack the authentication of administrators for requests that add administrative users via the edituser action.
28-11-2012 - 23:27 26-11-2012 - 18:55
CVE-2010-5280 7.5
Directory traversal vulnerability in the Community Builder Enhanced (CBE) (com_cbe) component 1.4.8, 1.4.9, and 1.4.10 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tabname parameter in a u
27-11-2012 - 00:00 26-11-2012 - 18:55
CVE-2012-6038 6.5
admin/core/admin_func.php in razorCMS before 1.2.1 does not properly restrict access to certain administrator directories and files, which allows remote authenticated users to read, edit, rename, move, copy and delete files via the (1) dir parameter
27-11-2012 - 00:00 26-11-2012 - 17:55
CVE-2012-6039 7.5
SQL injection vulnerability in view_comments.php in YABSoft Advanced Image Hosting (AIH) Script, possibly 2.3, allows remote attackers to execute arbitrary SQL commands via the gal parameter.
27-11-2012 - 00:00 26-11-2012 - 17:55
CVE-2012-6047 6.8
Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to ind
27-11-2012 - 00:00 26-11-2012 - 23:49
CVE-2008-3128 5.0
Directory traversal vulnerability in search.php in Pivot 1.40.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the t parameter.
26-11-2012 - 22:48 10-07-2008 - 19:41
CVE-2012-4344 4.3
Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the SNMP system name of the attacking host.
20-11-2012 - 23:22 15-08-2012 - 18:55
CVE-2012-1673 7.5
SQL injection vulnerability in loginscript.php in e-ticketing allows remote attackers to execute arbitrary SQL commands via the password parameter.
19-11-2012 - 23:43 11-04-2012 - 06:39
CVE-2012-1672 7.5
SQL injection vulnerability in getcity.php in Hotel Booking Portal 0.1 allows remote attackers to execute arbitrary SQL commands via the country parameter.
19-11-2012 - 23:43 11-04-2012 - 06:39
CVE-2012-5918 4.0
razorCMS 1.2 allows remote authenticated users to access administrator directories and files by creating and deleting a directory.
19-11-2012 - 10:51 19-11-2012 - 07:10
CVE-2012-5898 6.8
Cross-site request forgery (CSRF) vulnerability in SAMEDIA LandShop 0.9.2 allows remote attackers to hijack the authentication of administrators for requests that change account settings.
19-11-2012 - 00:00 17-11-2012 - 16:55
CVE-2012-5912 7.5
Multiple SQL injection vulnerabilities in PicoPublisher 2.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) page.php or (2) single.php.
19-11-2012 - 00:00 17-11-2012 - 16:55
CVE-2011-5211 4.3
Cross-site scripting (XSS) vulnerability in the poll module in Subrion CMS 2.0.4 allows remote attackers to inject arbitrary web script or HTML via the title field. NOTE: some of these details are obtained from third party information. NOTE: this m
15-11-2012 - 00:00 22-10-2012 - 19:55
CVE-2011-5228 4.3
Cross-site scripting (XSS) vulnerability in the Search module (quickstart/search) in appRain CMF 0.1.5 allows remote attackers to inject arbitrary web script or HTML via the ss parameter.
08-11-2012 - 00:00 25-10-2012 - 13:55
CVE-2012-1900 6.8
Cross-site request forgery (CSRF) vulnerability in admin/index.php in RazorCMS 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary web pages via a showcats action.