ExoPHPDesk 1.2.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by upgrades/upgrade9.php and certain other files.

Cross-site scripting (XSS) vulnerability in ExoPHPdesk allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a user profile, possibly the (1) name and (2) website parameters to register.php.

SQL injection vulnerability in index.php in ExoPHPdesk allows remote attackers to execute arbitrary SQL commands via the user parameter in a profile fn action.

SQL injection vulnerability in faq.php in ExoPHPDesk 1.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.