Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the 1 inviteemail parameter in an invite action to wp-admin/users.php and the 2 to parameter in a sent action to wp-admin/invites.php...

CVE-2008-1304

CVE-2008-1304 concerns WordPress 2.3.2, which is affected by multiple XSS vulnerabilities in two parameters: (1) inviteemail in wp-admin/users.php (invite action) and (2) the to parameter in a sent action to wp-admin/invites.php. The underlying issue is cross-site scripting that could allow remot...

CVE-2008-0714

SQL injection vulnerability in users.php in Mihalism Multi Host allows remote attackers to execute arbitrary SQL commands via the username parameter in a lostpasswordgo action...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in InterWorx Hosting Control Panel InterWorx-CP Webmaster Level SiteWorx 3.0.2 1 allow remote attackers to inject arbitrary web script or HTML via the PATHINFO to index.php; and allow remote authenticated users to inject arbitrary web script or HT...

CVE-2007-2084

CVE-2007-2084 affects MobilePublisherphp version 1.1.2 and is described as a PHP remote file inclusion vulnerability in the admin directory. The issue permits an attacker to supply a URL in the auth_method parameter to any of the admin PHP files (index.php, list.php, postreview.php, reindex.php, ...

Sql injection

Multiple SQL injection vulnerabilities in phpx 3.5.15 allow remote attackers to execute arbitrary SQL commands via the 1 imageid or 2 catid parameter to a gallery.php; the 3 newsid parameter to b news.php or c print.php; 4 the newscatid parameter to news.php; the 5 catid, 6 topicid, or 7 postid...

CVE-2007-1550

Multiple SQL injection vulnerabilities in phpx 3.5.15 allow remote attackers to execute arbitrary SQL commands via the 1 imageid or 2 catid parameter to a gallery.php; the 3 newsid parameter to b news.php or c print.php; 4 the newscatid parameter to news.php; the 5 catid, 6 topicid, or 7 postid...

Code injection

Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information...

CVE-2007-1394

Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information...

CVE-2006-4582

Cross-site request forgery CSRF vulnerability in The Address Book 1.04e allows remote attackers to perform unauthorized actions as other users via unspecified vectors, as demonstrated by deleting arbitrary users via the id parameter in a deleteuser action in users.php...

WEBInsta CMS <= 0.3.1 (users.php) Remote File Include Vulnerability

No description provided by source. / Vulnerable product : http://www.webinsta.com/download.html WEBInsta. CMS 0.3.1 Author : Yns - yns.zaxaz.com / Exploit: http://HOST/PATH/modules/usersonline/users.php?moduledir=REMOTEFILE...

Eggblog 3.1 admin/users.php add Parameter XSS

Eggblog 3.1 admin/users.php add Parameter XSS. CVE-2006-6046. Webapps exploit for php platform source: http://www.securityfocus.com/bid/21134/info Eggblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage...

CVE-2006-4757

Multiple SQL injection vulnerabilities in the admin section in e107 0.7.5 allow remote authenticated administrative users to execute arbitrary SQL commands via the 1 linkopentype, 2 linkrender, 3 linkclass, and 4 linkid parameters in a links.php; the 5 searchquery parameter in b users.php; and th...

Sql injections in e107 [Admin section]

Hi, There are several sql injections in e107 0.7.5 admin section : I The "linkopentype", "linkrender" and "linkclass" parameters are passed to "dbInsert" function without checking : File /e107admin/links.php, Line 496 : $sql-dbInsert"links", "0, '$linkname', '$linkurl', '$linkdescription',...

WEBInsta CMS 0.3.1 - users.php Remote File Inclusion

WEBInsta CMS 0.3.1 - users.php Remote File Inclusion / Vulnerable product : http://www.webinsta.com/download.html WEBInsta. CMS 0.3.1 Author : Yns - yns.zaxaz.com / Exploit: http://HOST/PATH/modules/usersonline/users.php?moduledir=REMOTEFILE milw0rm.com 2006-08-15...

CVE-2006-3316

Multiple PHP remote file inclusion vulnerabilities in phpRaid 3.0.5 allow remote attackers to execute arbitrary code via a URL in the phpraiddir parameter to 1 logs.php and 2 users.php, a different set of vectors than CVE-2006-3116...

Vegadns blind sql injection and cross site scripting

Author : Ph03n1X email : [email protected] site : http://kandangjamur.net/ vendor : www.vegadns.org version: 0.99 XSS ---- PoC : http://exam.com/vegadns/index.php?VDNSSessid=m42644r75o1eg4f7mb7e4rnpg7&message=3Ch13E3Cmarquee3Ealoo3C/marquee3E3C/h13E Vulnerable script is located in index.php...

CVE-2006-0823

Multiple SQL injection vulnerabilities in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to inject arbitrary SQL commands via the 1 userid variable to users.php or 2 sessid variable to lib-sessions.php...

CVE-2005-2323

Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allow remote attackers to modify SQL statements via the following parameters: (1) id in viewattach.php, (2) viewuser_id in users.php, and (3) id or (4) forum in viewforum.php. Affecte...

CVE-2005-0305

CVE-2005-0305 affects Siteman 1.1.10 and earlier. A CRLF injection vulnerability in users.php, triggered via the line parameter in a docreate operation, allows remote attackers with valid credentials to create arbitrary user accounts and gain privileges (administrative access). The root cause is ...