CVE-2019-25640

Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters. Attackers can inject SQL code using XOR-based payloads in GET requests to portalLogin.php to extract sensitive database information...

CVE-2025-41066

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the...

CVE-2025-41066

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the...

CVE-2025-41066 Disclosure of sensitive information in Horde Groupware

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the...

CVE-2025-41066 Disclosure of sensitive information in Horde Groupware

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the...

CVE-2025-41066

The vulnerability concerns Horde Groupware v5.2.22. Affected component: Horde Groupware web interface. Root cause: unauthenticated user enumeration via HTTP request to /imp/attachment.php with parameters id and u, causing the server to reveal whether a user exists (returns an empty file when the ...

PT-2025-48687

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the...

EUVD-2014-2765

Malware in sbrugna...

EUVD-2010-4966

Malware in sbrugna...

CVE-2025-28009

A SQL Injection vulnerability exists in the u parameter of the progress-body-weight.php endpoint of Dietiqa App v1.0.20...

CVE-2021-25876

AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator...

PT-2021-16824 · Unknown · Avideo/Youphptube

Name of the Vulnerable Software and Affected Versions: AVideo/YouPHPTube versions 10.0 and prior Description: The issue allows a remote attacker to steal administrators' session cookies or perform actions as an administrator due to multiple reflected Cross Script Scripting vulnerabilities via the...

DuckDuckGo: XXE on https://duckduckgo.com

An XML External Entity XXE injection vulnerability was discovered in the x.js endpoint on https://duckduckgo.com via u parameter. This was due to improper sanitation of external XML entities. The results was a leak of certain world readable files on the system. This issue was patched. Additionall...

CVE-2016-2222

The wphttpvalidateurl function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery SSRF attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php...

CVE-2014-2737

SQL injection vulnerability in the getactivesession function in the KTAPIUserSession class in webservice/clienttools/services/mdownload.php in KnowledgeTree 3.7.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the u parameter, related to the getFileName function...

CVE-2014-2737

SQL injection vulnerability in the getactivesession function in the KTAPIUserSession class in webservice/clienttools/services/mdownload.php in KnowledgeTree 3.7.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the u parameter, related to the getFileName function...

CVE-2010-5002

Cross-site scripting XSS vulnerability in modules/slideshowmodule/slideshow.js.php in Exponent CMS 0.97.0 allows remote attackers to inject arbitrary web script or HTML via the u parameter...

CVE-2010-4097

Multiple cross-site scripting XSS vulnerabilities in index.php in Aardvark Topsites PHP 5.2.0 and 5.2.1 allow remote attackers to inject arbitrary web script or HTML via the 1 mail, 2 title, 3 u, and 4 url parameters. NOTE: the q parameter is already covered by CVE-2009-2302...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in index.php in Aardvark Topsites PHP 5.2.0 and 5.2.1 allow remote attackers to inject arbitrary web script or HTML via the 1 mail, 2 title, 3 u, and 4 url parameters. NOTE: the q parameter is already covered by CVE-2009-2302...

Sql injection

SQL injection vulnerability in profile/myprofile.php in psi-labs.com social networking script psisns, probably 1.0, allows remote attackers to execute arbitrary SQL commands via the u parameter...